Detect dependencies from build.gradle files #2822
Conversation
There was a problem hiding this comment.
Thanks for this. I thinks its going to be useful. I can foresee some problems with this:
-
we need tests with some example files, to see what works exactly. I can provide some twisted examples from my twisted kotlin dev collegues :)
-
build.gradle can be either groovy or kotlin.
-
those are programmation langage so developers are factorizing deps, so for me it just unreliable to just parse the file, you have to execute it.
-
gradle is supporting transiant dependencies. So build.gradle only contains rank 1 deps.
-
ort, whitesource do run gradle to work. this is painful as you have to provision your build container with your build toolchain and the scanner toolchain
For those reason I advise my devs to use lockfiles like nebula.
Not all of them have made the switch so this will certainly be useful.
src/packagedcode/build.py
Outdated
| from packageurl import PackageURL | ||
| from pygments import highlight | ||
| from pygments.formatter import Formatter | ||
| from pygments.lexers import GroovyLexer |
There was a problem hiding this comment.
interresting use of pygments :)
There was a problem hiding this comment.
@tardyp the idea of https://github.com/nexB/pygmars/ is to be used in tandem with pygments to create quickly some lightweight parsers for programming languages.
This is used for instance to lex bash in https://github.com/nexB/scancode-toolkit/blob/develop/src/packagedcode/bashlex.py and parse it in https://github.com/nexB/scancode-toolkit/blob/develop/src/packagedcode/bashparse.py
In this case this is used to enable lightweight Bash parameter extension to parse the Apkbuild scripts from Alpine Linux (to collect metadata) in https://github.com/nexB/scancode-toolkit/blob/9ed2cb4e78a8b1b138bcb201f50203b43098febb/src/packagedcode/alpine.py#L161
The same approach will be used whenever there is a need to parse code to extract structured data as this is easier to read and maintain than a bunch of regex. The upcoming Yocto/Bitbake support likely can benefit from some of it too... and we should be able to parse also Autotools scripts that contain interesting metadata.
There was a problem hiding this comment.
Note that this is not perfect... and still only static. Next up will be to enable dependency resolution on the deps collected (which may require some live network access ... but this will be an option with proxy support for airgapped envt. ;) )
* Create parser for dependency info from build.gradle files Signed-off-by: Jono Yang <jyang@nexb.com>
* Move build.gradle parsing code to new source file
* Create tests for build.gradle parsing
Signed-off-by: Jono Yang <jyang@nexb.com>
JonoYang
force-pushed
the
detect-build-gradle
branch
from
bc9772b
to
dbef133
Compare
|
@tardyp Some more thoughts in reply to your insightful comments:
This would be great if you can attach these.
This is may work also with kotlin, but the devils is in the details.
yeah, that's the problem with these executable scripts....
So the plan here would be to:
This is not going to be a perfect solution in all cases.
which would be super useful to have as a parser and having some test files would be super useful too. Do you think nebula is the most common one? Any other common lockfile format otherwise? |
|
See also #2761 |
|
I am keeping #793 (comment) open until we have explicit tests for Kotlin |
FWIW, we do have some nebula support code, and we do need to find some slot in our agenda to upstream it :-} for the rest, sounds like a plan! |
Awesome... I look forward to it! |
Signed-off-by: Jono Yang jyang@nexb.com