feat: support parsing Gradle lockfiles (#164)

Author: G-Rath

README.md

@@ -50,20 +50,22 @@ osv-detector path/to/my/
 
 The detector supports parsing the following lockfiles:
 
-| Lockfile             | Ecosystem   | Tool       |
-| -------------------- | ----------- | ---------- |
-| `Cargo.lock`         | `crates.io` | `cargo`    |
-| `package-lock.json`  | `npm`       | `npm`      |
-| `yarn.lock`          | `npm`       | `yarn`     |
-| `pnpm-lock.yaml`     | `npm`       | `pnpm`     |
-| `composer.lock`      | `Packagist` | `composer` |
-| `Gemfile.lock`       | `RubyGems`  | `bundler`  |
-| `go.mod`             | `Go`        | `go mod`   |
-| `mix.lock`           | `Hex`       | `mix`      |
-| `poetry.lock`        | `PyPI`      | `poetry`   |
-| `pubspec.lock`       | `Pub`       | `pub`      |
-| `pom.xml`\*          | `Maven`     | `maven`    |
-| `requirements.txt`\* | `PyPI`      | `pip`      |
+| Lockfile                      | Ecosystem   | Tool       |
+| ----------------------------- | ----------- | ---------- |
+| `buildscript-gradle.lockfile` | `Maven`     | `gradle`   |
+| `Cargo.lock`                  | `crates.io` | `cargo`    |
+| `package-lock.json`           | `npm`       | `npm`      |
+| `yarn.lock`                   | `npm`       | `yarn`     |
+| `pnpm-lock.yaml`              | `npm`       | `pnpm`     |
+| `composer.lock`               | `Packagist` | `composer` |
+| `Gemfile.lock`                | `RubyGems`  | `bundler`  |
+| `go.mod`                      | `Go`        | `go mod`   |
+| `gradle.lockfile`             | `Maven`     | `gradle`   |
+| `mix.lock`                    | `Hex`       | `mix`      |
+| `poetry.lock`                 | `PyPI`      | `poetry`   |
+| `pubspec.lock`                | `Pub`       | `pub`      |
+| `pom.xml`\*                   | `Maven`     | `maven`    |
+| `requirements.txt`\*          | `PyPI`      | `pip`      |
 
 \*: `pom.xml` and `requirements.txt` are technically not lockfiles, as they
 don't have to specify the complete dependency tree and can have version

main_test.go

@@ -131,10 +131,12 @@ func TestRun(t *testing.T) {
 			wantStdout:   "",
 			wantStderr: `
 				Don't know how to parse files as "my-file" - supported values are:
+					buildscript-gradle.lockfile
 					Cargo.lock
 					composer.lock
 					Gemfile.lock
 					go.mod
+					gradle.lockfile
 					mix.lock
 					package-lock.json
 					pnpm-lock.yaml

pkg/lockfile/ecosystems_test.go

@@ -33,9 +33,9 @@ func TestKnownEcosystems(t *testing.T) {
 
 	expectedCount := numberOfLockfileParsers(t)
 
-	// npm, yarn, and pnpm, and pip and poetry, all use the same ecosystem
-	// so "ignore" those parsers in the count
-	expectedCount -= 3
+	// npm, yarn, and pnpm, and pip and poetry, and maven and gradle, all
+	// use the same ecosystem so "ignore" those parsers in the count
+	expectedCount -= 4
 
 	ecosystems := lockfile.KnownEcosystems()
 

pkg/lockfile/fixtures/gradle/5-pkg

@@ -0,0 +1,10 @@
+##
+## Comments
+##
+
+org.springframework.boot:spring-boot-autoconfigure:2.7.4=compileClasspath,developmentOnly,productionRuntimeClasspath,runtimeClasspath
+org.springframework.boot:spring-boot-configuration-processor:2.7.5=annotationProcessor,compileClasspath
+org.springframework.boot:spring-boot-devtools:2.7.6=developmentOnly,runtimeClasspath
+org.springframework.boot:spring-boot-starter-aop:2.7.7=compileClasspath,productionRuntimeClasspath,runtimeClasspath
+org.springframework.boot:spring-boot-starter-data-jpa:2.7.8=compileClasspath,productionRuntimeClasspath,runtimeClasspath
+empty=

pkg/lockfile/fixtures/gradle/one-pkg

@@ -0,0 +1,5 @@
+# Comment example
+#
+
+org.springframework.security:spring-security-crypto:5.7.3=compileClasspath,productionRuntimeClasspath,runtimeClasspath
+empty=

pkg/lockfile/fixtures/gradle/only-comments

@@ -0,0 +1,8 @@
+# This
+# is
+# a
+# comment
+
+
+
+

pkg/lockfile/fixtures/gradle/only-empty

@@ -0,0 +1 @@
+empty=

pkg/lockfile/fixtures/gradle/with-bad-pkg

@@ -0,0 +1,19 @@
+# This sample gradle lockfile has bad lines
+#
+>>>
+////
+empty=======
+
+org.springframework.boot:spring-boot-autoconfigure:2.7.4=compileClasspath,developmentOnly,productionRuntimeClasspath,runtimeClasspath
+
+      a
+        b
+
+
+
+org.springframework.boot:spring-boot-configuration-processor:2.7.5=compileClasspath,developmentOnly,productionRuntimeClasspath,runtimeClasspath
+
+
+
+
+

pkg/lockfile/parse-gradle-lock.go

@@ -0,0 +1,64 @@
+package lockfile
+
+import (
+	"bufio"
+	"fmt"
+	"os"
+	"strings"
+)
+
+func isNotGradleDependencyLine(line string) bool {
+	return strings.HasPrefix(line, "#") || strings.HasPrefix(line, "empty=")
+}
+
+func parseGradleLine(line string) (PackageDetails, error) {
+	parts := strings.SplitN(line, ":", 3)
+	if len(parts) < 3 {
+		return PackageDetails{}, fmt.Errorf("invalid line in gradle lockfile: %s", line) //nolint:goerr113
+	}
+
+	group, artifact, version := parts[0], parts[1], parts[2]
+	version = strings.SplitN(version, "=", 2)[0]
+
+	return PackageDetails{
+		Name:      fmt.Sprintf("%s:%s", group, artifact),
+		Version:   version,
+		Ecosystem: MavenEcosystem,
+		CompareAs: MavenEcosystem,
+	}, nil
+}
+
+func ParseGradleLock(pathToLockfile string) ([]PackageDetails, error) {
+	var packages []PackageDetails
+
+	lockFile, err := os.Open(pathToLockfile)
+	if err != nil {
+		return []PackageDetails{}, fmt.Errorf("could not open %s: %w", pathToLockfile, err)
+	}
+	defer lockFile.Close()
+
+	scanner := bufio.NewScanner(lockFile)
+
+	for scanner.Scan() {
+		lockLine := strings.TrimSpace(scanner.Text())
+
+		if isNotGradleDependencyLine(lockLine) {
+			continue
+		}
+
+		pkg, err := parseGradleLine(lockLine)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "skipping %s\n", err.Error())
+
+			continue
+		}
+
+		packages = append(packages, pkg)
+	}
+
+	if err := scanner.Err(); err != nil {
+		return []PackageDetails{}, fmt.Errorf("error while scanning %s: %w", pathToLockfile, err)
+	}
+
+	return packages, nil
+}

pkg/lockfile/parse-gradle-lock_test.go

@@ -0,0 +1,127 @@
+package lockfile_test
+
+import (
+	"github.com/g-rath/osv-detector/pkg/lockfile"
+	"testing"
+)
+
+func TestParseGradleLock_FileDoesNotExist(t *testing.T) {
+	t.Parallel()
+
+	packages, err := lockfile.ParseGradleLock("fixtures/gradle/does-not-exist")
+
+	expectErrContaining(t, err, "could not open")
+	expectPackages(t, packages, []lockfile.PackageDetails{})
+}
+
+func TestParseGradleLock_OnlyComments(t *testing.T) {
+	t.Parallel()
+
+	packages, err := lockfile.ParseGradleLock("fixtures/gradle/only-comments")
+
+	if err != nil {
+		t.Errorf("Got unexpected error: %v", err)
+	}
+
+	expectPackages(t, packages, []lockfile.PackageDetails{})
+}
+
+func TestParseGradleLock_EmptyStatement(t *testing.T) {
+	t.Parallel()
+
+	packages, err := lockfile.ParseGradleLock("fixtures/gradle/only-empty")
+
+	if err != nil {
+		t.Errorf("Got unexpected error: %v", err)
+	}
+
+	expectPackages(t, packages, []lockfile.PackageDetails{})
+}
+
+func TestParseGradleLock_OnePackage(t *testing.T) {
+	t.Parallel()
+
+	packages, err := lockfile.ParseGradleLock("fixtures/gradle/one-pkg")
+
+	if err != nil {
+		t.Errorf("Got unexpected error: %v", err)
+	}
+
+	expectPackages(t, packages, []lockfile.PackageDetails{
+		{
+			Name:      "org.springframework.security:spring-security-crypto",
+			Version:   "5.7.3",
+			Ecosystem: lockfile.MavenEcosystem,
+			CompareAs: lockfile.MavenEcosystem,
+		},
+	})
+}
+
+func TestParseGradleLock_MultiplePackage(t *testing.T) {
+	t.Parallel()
+
+	packages, err := lockfile.ParseGradleLock("fixtures/gradle/5-pkg")
+
+	if err != nil {
+		t.Errorf("Got unexpected error: %v", err)
+	}
+
+	expectPackages(t, packages, []lockfile.PackageDetails{
+		{
+			Name:      "org.springframework.boot:spring-boot-autoconfigure",
+			Version:   "2.7.4",
+			Ecosystem: lockfile.MavenEcosystem,
+			CompareAs: lockfile.MavenEcosystem,
+		},
+		{
+			Name:      "org.springframework.boot:spring-boot-configuration-processor",
+			Version:   "2.7.5",
+			Ecosystem: lockfile.MavenEcosystem,
+			CompareAs: lockfile.MavenEcosystem,
+		},
+		{
+			Name:      "org.springframework.boot:spring-boot-devtools",
+			Version:   "2.7.6",
+			Ecosystem: lockfile.MavenEcosystem,
+			CompareAs: lockfile.MavenEcosystem,
+		},
+
+		{
+			Name:      "org.springframework.boot:spring-boot-starter-aop",
+			Version:   "2.7.7",
+			Ecosystem: lockfile.MavenEcosystem,
+			CompareAs: lockfile.MavenEcosystem,
+		},
+		{
+			Name:      "org.springframework.boot:spring-boot-starter-data-jpa",
+			Version:   "2.7.8",
+			Ecosystem: lockfile.MavenEcosystem,
+			CompareAs: lockfile.MavenEcosystem,
+		},
+	})
+}
+
+func TestParseGradleLock_WithInvalidLines(t *testing.T) {
+	t.Parallel()
+
+	packages, err := lockfile.ParseGradleLock("fixtures/gradle/with-bad-pkg")
+
+	if err != nil {
+		t.Errorf("Got unexpected error: %v", err)
+	}
+
+	expectPackages(t, packages, []lockfile.PackageDetails{
+		{
+			Name:      "org.springframework.boot:spring-boot-autoconfigure",
+			Version:   "2.7.4",
+			Ecosystem: lockfile.MavenEcosystem,
+			CompareAs: lockfile.MavenEcosystem,
+		},
+		{
+			Name:      "org.springframework.boot:spring-boot-configuration-processor",
+			Version:   "2.7.5",
+			Ecosystem: lockfile.MavenEcosystem,
+			CompareAs: lockfile.MavenEcosystem,
+		},
+	})
+}