Skip to content

Commit

Permalink
feat: support parsing gradle/verification-metadata.xml (#943)
Browse files Browse the repository at this point in the history 
This adds support for parsing `gradle/verification-metadata.xml` files -
since this seems to be like an actual lockfile it's very
straightforward: we just parse the file as XML and extract out the name
+ version of "component".

The interesting part of this is that unlike other project-relative
lockfiles this file currently must exist in the `gradle` directory which
raises questions about how `--recursive` comes into play previously we'd
not enabled APK and DPKG checking by default but I feel that was more
because they were absolute paths and so didn't make sense to do when
people were scanning in "project mode".

For now I've just taken the simple route of making the file
`gradle/verification-metadata.xml` since that does just work (except for
the "find parser" flow which checks against `path.Base` so that has the
`gradle` omitted).

Resolves #915
  • Loading branch information
@G-Rath
G-Rath authored May 23, 2024
1 parent ffdda1e commit e6b3fd4
Show file tree
Hide file tree
Showing 13 changed files with 1,381 additions and 33 deletions.
26 changes: 13 additions & 13 deletions docs/supported_languages_and_lockfiles.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,19 +22,19 @@ nav_order: 2

A wide range of lockfiles are supported by utilizing this [lockfile package](https://github.com/google/osv-scanner/tree/main/pkg/lockfile).

| Language | Compatible Lockfile(s) |
| :--------- | :----------------------------------------------------------------------------------------------------------------------- |
| C/C++ | `conan.lock`<br>[C/C++ commit scanning](#cc-scanning) |
| Dart | `pubspec.lock` |
| Elixir | `mix.lock` |
| Go | `go.mod` |
| Java | `buildscript-gradle.lockfile`<br>`gradle.lockfile`<br>`pom.xml`[\*](https://github.com/google/osv-scanner/issues/35) |
| Javascript | `package-lock.json`<br>`pnpm-lock.yaml`<br>`yarn.lock` |
| PHP | `composer.lock` |
| Python | `Pipfile.lock`<br>`poetry.lock`<br>`requirements.txt`[\*](https://github.com/google/osv-scanner/issues/34)<br>`pdm.lock` |
| R | `renv.lock` |
| Ruby | `Gemfile.lock` |
| Rust | `Cargo.lock` |
| Language | Compatible Lockfile(s) |
| :--------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------- |
| C/C++ | `conan.lock`<br>[C/C++ commit scanning](#cc-scanning) |
| Dart | `pubspec.lock` |
| Elixir | `mix.lock` |
| Go | `go.mod` |
| Java | `buildscript-gradle.lockfile`<br>`gradle.lockfile`<br>`gradle/verification-metadata.xml`<br>`pom.xml`[\*](https://github.com/google/osv-scanner/issues/35) |
| Javascript | `package-lock.json`<br>`pnpm-lock.yaml`<br>`yarn.lock` |
| PHP | `composer.lock` |
| Python | `Pipfile.lock`<br>`poetry.lock`<br>`requirements.txt`[\*](https://github.com/google/osv-scanner/issues/34)<br>`pdm.lock` |
| R | `renv.lock` |
| Ruby | `Gemfile.lock` |
| Rust | `Cargo.lock` |

## Alpine Package Keeper and Debian Package Keeper

Expand Down
4 changes: 2 additions & 2 deletions pkg/lockfile/ecosystems_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,9 +36,9 @@ func TestKnownEcosystems(t *testing.T) {

// - npm, yarn, and pnpm,
// - pip, poetry, pdm and pipenv,
// - maven and gradle,
// - maven, gradle, and gradle/verification-metadata
// all use the same ecosystem so "ignore" those parsers in the count
expectedCount -= 6
expectedCount -= 7

ecosystems := lockfile.KnownEcosystems()

Expand Down
38 changes: 20 additions & 18 deletions pkg/lockfile/extract_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,24 +33,25 @@ func TestFindExtractor(t *testing.T) {
t.Parallel()

lockfiles := map[string]string{
"buildscript-gradle.lockfile": "gradle.lockfile",
"Cargo.lock": "Cargo.lock",
"composer.lock": "composer.lock",
"Gemfile.lock": "Gemfile.lock",
"go.mod": "go.mod",
"gradle.lockfile": "gradle.lockfile",
"mix.lock": "mix.lock",
"pdm.lock": "pdm.lock",
"Pipfile.lock": "Pipfile.lock",
"package-lock.json": "package-lock.json",
"packages.lock.json": "packages.lock.json",
"pnpm-lock.yaml": "pnpm-lock.yaml",
"poetry.lock": "poetry.lock",
"pom.xml": "pom.xml",
"pubspec.lock": "pubspec.lock",
"renv.lock": "renv.lock",
"requirements.txt": "requirements.txt",
"yarn.lock": "yarn.lock",
"buildscript-gradle.lockfile": "gradle.lockfile",
"Cargo.lock": "Cargo.lock",
"composer.lock": "composer.lock",
"Gemfile.lock": "Gemfile.lock",
"go.mod": "go.mod",
"gradle/verification-metadata.xml": "gradle/verification-metadata.xml",
"gradle.lockfile": "gradle.lockfile",
"mix.lock": "mix.lock",
"pdm.lock": "pdm.lock",
"Pipfile.lock": "Pipfile.lock",
"package-lock.json": "package-lock.json",
"packages.lock.json": "packages.lock.json",
"pnpm-lock.yaml": "pnpm-lock.yaml",
"poetry.lock": "poetry.lock",
"pom.xml": "pom.xml",
"pubspec.lock": "pubspec.lock",
"renv.lock": "renv.lock",
"requirements.txt": "requirements.txt",
"yarn.lock": "yarn.lock",
}

for file, extractAs := range lockfiles {
Expand Down Expand Up @@ -91,6 +92,7 @@ func TestExtractDeps_FindsExpectedExtractor(t *testing.T) {
"Gemfile.lock",
"go.mod",
"gradle.lockfile",
"gradle/verification-metadata.xml",
"mix.lock",
"pdm.lock",
"Pipfile.lock",
Expand Down
Loading

0 comments on commit e6b3fd4

Please sign in to comment.