New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add support for gradle.lockfile #2759
Changes from 3 commits
876466f
e743943
6dda1d0
405e5b1
34d04e5
00afb38
64d60f2
932bd0d
86d92ba
b349a50
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
package gradle | ||
|
||
import ( | ||
"context" | ||
"os" | ||
"path/filepath" | ||
"strings" | ||
|
||
"github.com/aquasecurity/go-dep-parser/pkg/gradle/lockfile" | ||
"github.com/aquasecurity/trivy/pkg/fanal/analyzer" | ||
"github.com/aquasecurity/trivy/pkg/fanal/analyzer/language" | ||
"github.com/aquasecurity/trivy/pkg/fanal/types" | ||
|
||
"golang.org/x/xerrors" | ||
) | ||
|
||
func init() { | ||
analyzer.RegisterAnalyzer(&gradleLockAnalyzer{}) | ||
} | ||
|
||
const ( | ||
version = 1 | ||
fileNameSuffix = "gradle.lockfile" | ||
) | ||
|
||
// gradleLockAnalyzer analyzes '*gradle.lockfile' | ||
type gradleLockAnalyzer struct{} | ||
|
||
func (a gradleLockAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) { | ||
p := lockfile.NewParser() | ||
res, err := language.Analyze(types.GradleLock, input.FilePath, input.Content, p) | ||
if err != nil { | ||
return nil, xerrors.Errorf("%s parse error: %w", input.FilePath, err) | ||
} | ||
return res, nil | ||
} | ||
|
||
func (a gradleLockAnalyzer) Required(filePath string, _ os.FileInfo) bool { | ||
return strings.HasSuffix(filepath.Base(filePath), fileNameSuffix) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes. But all language analyzers use There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. i meant that we don't neet to call There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You are right. Looks like an extra step. |
||
} | ||
|
||
func (a gradleLockAnalyzer) Type() analyzer.Type { | ||
return analyzer.TypeGradleLock | ||
} | ||
|
||
func (a gradleLockAnalyzer) Version() int { | ||
return version | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
package gradle | ||
|
||
import ( | ||
"os" | ||
"testing" | ||
|
||
"github.com/aquasecurity/trivy/pkg/fanal/analyzer" | ||
"github.com/aquasecurity/trivy/pkg/fanal/types" | ||
"github.com/stretchr/testify/assert" | ||
"github.com/stretchr/testify/require" | ||
) | ||
|
||
func Test_gradleLockAnalyzer_Analyze(t *testing.T) { | ||
tests := []struct { | ||
name string | ||
inputFile string | ||
want *analyzer.AnalysisResult | ||
}{ | ||
{ | ||
name: "happy path", | ||
inputFile: "testdata/happy.lockfile", | ||
want: &analyzer.AnalysisResult{ | ||
Applications: []types.Application{ | ||
{ | ||
Type: types.GradleLock, | ||
FilePath: "testdata/happy.lockfile", | ||
Libraries: []types.Package{ | ||
{ | ||
Name: "com.example:example", | ||
Version: "0.0.1", | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
{ | ||
name: "empty file", | ||
inputFile: "testdata/empty.lockfile", | ||
}, | ||
} | ||
|
||
for _, tt := range tests { | ||
t.Run(tt.name, func(t *testing.T) { | ||
f, err := os.Open(tt.inputFile) | ||
require.NoError(t, err) | ||
defer f.Close() | ||
|
||
a := gradleLockAnalyzer{} | ||
got, err := a.Analyze(nil, analyzer.AnalysisInput{ | ||
FilePath: tt.inputFile, | ||
Content: f, | ||
}) | ||
|
||
assert.NoError(t, err) | ||
assert.Equal(t, tt.want, got) | ||
}) | ||
} | ||
} | ||
|
||
func Test_nugetLibraryAnalyzer_Required(t *testing.T) { | ||
tests := []struct { | ||
name string | ||
filePath string | ||
want bool | ||
}{ | ||
{ | ||
name: "default name", | ||
filePath: "test/gradle.lockfile", | ||
want: true, | ||
}, | ||
{ | ||
name: "name with prefix", | ||
filePath: "test/settings-gradle.lockfile", | ||
want: true, | ||
}, | ||
{ | ||
name: "zip", | ||
filePath: "test.zip", | ||
want: false, | ||
}, | ||
} | ||
for _, tt := range tests { | ||
t.Run(tt.name, func(t *testing.T) { | ||
a := gradleLockAnalyzer{} | ||
got := a.Required(tt.filePath, nil) | ||
assert.Equal(t, tt.want, got) | ||
}) | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
# This is a Gradle generated file for dependency locking. | ||
# Manual edits can break the build and are not advised. | ||
# This file is expected to be part of source control. | ||
empty= |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# This is a Gradle generated file for dependency locking. | ||
# Manual edits can break the build and are not advised. | ||
# This file is expected to be part of source control. | ||
com.example:example:0.0.1=classpath | ||
empty= |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -28,7 +28,7 @@ func Test_rustBinaryLibraryAnalyzer_Analyze(t *testing.T) { | |
FilePath: "testdata/executable_rust", | ||
Libraries: []types.Package{ | ||
{Name: "crate_with_features", Version: "0.1.0"}, | ||
{Name: "library_crate", Version: "0.1.0"}, | ||
{Name: "library_crate", Version: "0.1.0", Indirect: true}, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. why did it do in this PR? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Removed |
||
}, | ||
}, | ||
}, | ||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -23,6 +23,7 @@ const ( | |||||
Pnpm = "pnpm" | ||||||
Jar = "jar" | ||||||
Pom = "pom" | ||||||
GradleLock = "gradle-lock" | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think Gradle is enough. Other languages don't mention if it is a lock file.
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Done |
||||||
GoBinary = "gobinary" | ||||||
GoModule = "gomod" | ||||||
JavaScript = "javascript" | ||||||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can see on GitHub, that user have lock files with another names. is it ok?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is suffix of filename.
If I understand correctly - we need to check only this suffix.
trivy/pkg/fanal/analyzer/language/java/gradle/lockfile.go
Line 39 in 6dda1d0