How to get dependency list in gradle - groovy

I'm developing a plugin for gradle, that will check license types for dependencies. I didn't find anything in plugin API how to get dependency list for the project and then retrieve it's metadata (like license type).
Is it possible in gradle?

For analyzing dependencies in general, check out Configuration in the Gradle Build Language Reference, in particular Configuration.resolvedConfiguration and Configuration.incoming.
That said, Gradle's dependency model doesn't capture licenses. Unless you have some external service that you can query for this information, the other option is to parse Maven/Ivy module descriptors.
Gradle doesn't currently give direct access to Maven/Ivy module descriptors. Instead you'll have create a detached configuration, populate it dynamically with dependencies pointing to the descriptors, resolve the configuration, and parse the descriptors yourself (e.g. with Groovy's excellent XmlSlurper). It's not trivial, but doable.
Another approach is to use the license reporting capabilities of repository managers such as Artifactory combined with Black Duck.

Related

Docker security scan detects vulnerability in gradle 7.4.1

Creating a docker image with gradle 7.4.1 triggers the security scan which shows vulnerability CVE-2020-36518. How can this particular jar file within the gradle package be updated?
I would just reject the security issue, explaining that it is not possible to exploit the vulnerability as the Gradle build runs isolated on controlled input, and is not accessible by any potential attackers.
(Assuming this is the case, of cause, and you don't have a custom Gradle plugin that reads untrusted JSON documents using Jackson from the Gradle classpath. But even then, all you are risking is a denial-of-service on the build.)
Fiddling around with jar files in external tools could easily lead to problems hard to debug later. But if you like, you could create an issue for them, asking if they could bump the Jackson version to avoid unnecessary noise from security scans like this. There is an example of that here.

How to add dependencies in hybris using external-dependencies.xml file?

I'm newbie in hybris. I want to add maven dependency in hybris using external-dependencies.xml. But I can't see any of those jar(s) popped-in. Is it possible to get jar using external-dependencies.xml, if yes, please provide your response.
The platform build is coupled with ant but you can use maven dependency (by default is disabled because all necessary libraries are shipped with the hybris).
In order to activate dependency management you have to follow these steps:
1) Make sure you have maven installed
2) Open the extensioninfo.xml from your extension
2.1) Include usemaven="true", for instance
3) Manage your dependencies inside "external-dependencies.xml" file (Inside this file is a regular maven pom.xml)
4) build your project (ant all). Hybris fetch required libraries into \lib and \web\webroot\WEB-INF\lib (Bear in mind that there are two "external-dependencies.xml", one for the core module and other for the web module)
Besides if you look the ant targets you will see there is one call "updateMavenDependencies". This task delete all jars in the lib folder and replaces them with the defined maven dependencies. In case you dont want maven to manage a few libraries you can handle this, creating a file in the root of your extension call "unmanaged-dependencies.txt".On this file you will include all libraries maven is not going to manage (therefore the ant target is not going to delete the libraries include on this file)
My official answer: add usemaven="true" in your extensioninfo.xml (extension tag)
I'm newbie too to Hybris but what I know is that whenever you need a dependency in a Hybris extension you need to add the name of the dependency to hybris/config/localextensions.xml and in extensioninfo.xml in the extension you want to add the dependency.
As for the Maven dependency, I'm not sure how to do that because I mostly use the out-of-the-box build system which is based on Ant.

Package References in F#

I am wondering if there is a way to bundle group of certain packages to load in to a new project outside of the PM(package manager). Like a predefined script?
thanks
This is commonly managed by Paket. It can add nuget package references to projects (like NuGet), but also has the option of generating include scripts for use in .fsx files.
For details, see the Paket FAQ.

How can I enable Groovy plugin features in my eclipse plugin?

I am writing an eclipse plugin which needs to support features from the Groovy eclipse plugin.
The Groovy website talks about Groovy eclipse plugins, and Groovy compiler support within eclipse and maven, but I did not find anything similar to what I need to do here.
If I look at the list of available plugin dependencies, I see a number of them:
How can I enable some discovery mechanism or otherwise, in order to install the Groovy plugin after the installation of my plugin completes?
Which plugin can I add as dependency to achieve this? Or should I have to individually add all of them?
If you want to add single plug-ins you can easily do that in the Manifest-Editor of your plug-in. If you need to add a dependency to a feature, you need to create a feature for your own plug-in and add the additional feature dependency in the feature-Editor.
To find out which groovy plug-ins are required to add the "groovy compiler support", I suppose you must rather look at the groovy features in your installation. Usually complex features like a compiler or the like are grouped within a feature.
Add on:
I think the discovery mechanism is already integrated in p2.
I suppose these plug-ins are part of a feature. Find this feature and add that to your product.
For stability I would recommend to add the specific plug-ins to your product/feature. That way you can be sure, people are using the exact version you proposed in your implmentation.

Project references v NuGet dependencies

I am in the process of introducing NuGet into our software dev process, both for external binaries (eg Moq, NUnit) and for internal library projects containing shared functionality.
TeamCity is producing NuGet packages from our internal library projects, and publishing them to a local repository. My modified solution files use the local repository for accessing the NuGet packages.
Consider the following source code solutions:
Company.Interfaces.sln builds Company.Interfaces.1.2.3.7654.nupkg.
Company.Common.sln contains a reference to Company.Interfaces via its NuGet package, and builds Company.Common.1.1.1.7655.nupkg, with Company.Interfaces.1.2.3.7654 included as a dependency.
The Company.DataAccess.sln uses the Company.Common nupkg to add
Company.Interfaces and Company.Common as references. It builds
Company.DataAccess.1.0.8.7660.nupkg, including Company.Common.1.1.1.7655 as a dependent component.
Company.Product.A is a website solution that contains references to all three library projects (added by selecting the
Company.DataAccess NuGet package).
Questions:
If there is a source code change to Company.Interfaces, do I always need to renumber and rebuild the intermediate packages (Company.Common and Company.DataAccess) and update the packages in Company.Product.A?
Or does that depend on whether the source code change was
a bug fix, or
a new feature, or
a breaking change?
In reality, I have 8 levels of dependent library packages. Is there tooling support for updating an entire tree of packages, should that be necessary?
I know about Semantic Versioning.
We are using VS2012, C#4.0, TeamCity 7.1.5.
It is a good idea to update everything on each check-in, in order to test it early.
What you're describing can be easily managed using artifact dependencies (http://confluence.jetbrains.com/display/TCD7/Artifact+Dependencies) and "Finish Build" build triggers (or even solely "Nuget Dependency Trigger").
We wrote our own build configuration on the base project (would be Company.Interfaces.sln in this case) which builds and updates the whole tree in one go. It checks in updated packages.config files and .nuspec files along the way. I can't say how much of a time-saver this ended up being for us, even if it might sound like overkill at the beginning.
One thing to watch out for: the script we wrote checks in the files even if the chain fails somewhere in between, to give us the chance of fixing it on our local machine, check in the fix and restart the publishing.

Resources