coinbase · maitrayshah-cb · Jan 2, 2023 · Jan 2, 2023 · Jan 2, 2023 · Jan 2, 2023
diff --git a/Dockerfile b/Dockerfile
@@ -31,16 +31,16 @@ WORKDIR /root
 RUN wget https://download.java.net/java/GA/jdk11/9/GPL/openjdk-11.0.2_linux-x64_bin.tar.gz -P /tmp
 RUN tar xvf /tmp/openjdk-11.0.2_linux-x64_bin.tar.gz -C /
 
-### Gradle 7
-RUN wget https://services.gradle.org/distributions/gradle-7.5.1-bin.zip -P /tmp
-RUN unzip -d /opt/gradle /tmp/gradle-*.zip
+# ### Gradle 7
+# RUN wget https://services.gradle.org/distributions/gradle-7.5.1-bin.zip -P /tmp
+# RUN unzip -d /opt/gradle /tmp/gradle-*.zip
 
-### Gradle 6
-RUN wget https://services.gradle.org/distributions/gradle-6.9.2-bin.zip -P /tmp2
-RUN unzip -d /opt/gradle /tmp2/gradle-*.zip
+# ### Gradle 6
+# RUN wget https://services.gradle.org/distributions/gradle-6.9.2-bin.zip -P /tmp2
+# RUN unzip -d /opt/gradle /tmp2/gradle-*.zip
 
-ENV GRADLE_HOME="/opt/gradle/gradle-7.5.1"
-ENV PATH="${GRADLE_HOME}/bin:${PATH}"
+# ENV GRADLE_HOME="/opt/gradle/gradle-7.5.1"
+# ENV PATH="${GRADLE_HOME}/bin:${PATH}"
 
 ### Rust
 ENV RUST_VERSION 1.58.1
@@ -199,10 +199,10 @@ COPY --from=builder /usr/local/go /usr/local/go
 COPY --from=builder /usr/bin/rg /usr/bin/rg
 COPY --from=builder /jdk-11.0.2 /jdk-11.0.2
 ENV JAVA_HOME /jdk-11.0.2
-COPY --from=builder /opt/gradle/gradle-7.5.1 /opt/gradle/gradle-7.5.1
-ENV PATH="/opt/gradle/gradle-7.5.1/bin:${PATH}"
+# COPY --from=builder /opt/gradle/gradle-7.5.1 /opt/gradle/gradle-7.5.1
+# ENV PATH="/opt/gradle/gradle-7.5.1/bin:${PATH}"
 
-COPY --from=builder /opt/gradle/gradle-6.9.2 /opt/gradle/gradle-6.9.2
+# COPY --from=builder /opt/gradle/gradle-6.9.2 /opt/gradle/gradle-6.9.2
 
 RUN ln -sf /usr/local/go/bin/go /usr/local/bin
 RUN python -m easy_install pip==${PIP_VERSION} \

diff --git a/docs/scanners/gradle_osv.md b/docs/scanners/gradle_osv.md
@@ -1,6 +1,8 @@
 # Gradle OSV Scanner
 
-Finds vulnerable dependencies in a Gradle project. By default, GradleOSV Scanner pulls advisory information from [OSV - Database for open source vulnerabilities](https://osv.dev/) to compare against the dependencies found by running `gradle dependencies`.
+Finds vulnerable dependencies in a Gradle project. By default, GradleOSV Scanner pulls advisory information from [OSV - Database for open source vulnerabilities](https://osv.dev/) to compare against the dependencies found in `gradle.lockfile`.
+
+> NOTE: multi_project_build config option has been deprecated.
 
 ## Configuration
 
@@ -9,10 +11,45 @@ When a CVE is present in a dependency, the best course of action is to upgrade t
 ```yaml
 scanner_configs:
   GradleOSV:
-    multi_project_build: true # If you run a multi project build setup, you can multi as true. Default is false
     exceptions:
       - advisory_id: CVE-2020-26945
         changed_by: security-team
         notes: Currently no patch exists and determined that this vulnerability is not exploitable.
         expiration: "2022-12-31"
 ```
+
+## How to generate lockfile
+
+To generate lockfile, use the following commands - 
+- Single Project
+
+```
+allprojects {
+    dependencyLocking {
+        lockAllConfigurations()
+    }
+}
+```
+**Generate lockfile:** `gradle dependencies --write-locks`
+
+- Multi Project
+```
+allprojects {
+    dependencyLocking {
+        lockAllConfigurations()
+    }
+
+    task resolveAndLockAll {
+        doFirst {
+            assert gradle.startParameter.writeDependencyLocks
+        }
+        doLast {
+            configurations.findAll {
+                // Add any custom filtering on the configurations to be resolved
+                it.canBeResolved
+            }.each { it.resolve() }
+        }
+    }
+}
+```
+**Generate lockfile:** `gradle resolveAndLockAll --write-locks`
diff --git a/lib/salus/package_utils/gradle_dependency_parser.rb b/lib/salus/package_utils/gradle_dependency_parser.rb
@@ -1,44 +1,13 @@
 module Gradle
-  GRADLE7 = "/opt/gradle/gradle-7.5.1/bin/gradle".freeze
-  GRADLE6 = "/opt/gradle/gradle-6.9.2/bin/gradle".freeze
-  GET_GRADLE_PROJECTS = "./gradlew projects --info".freeze
-
-  def is_multi_project
-    projects = []
-    command = "./gradlew "
-    projects_shell_result = run_shell(GET_GRADLE_PROJECTS)
-    projects_shell_result.stdout.each_line do |line|
-      projects.append(line.split.last.strip.tr(":", "").tr("'", "")) if line.include? '--- Project '
-    end
-
-    projects.each do |proj|
-      command += proj + ":dependencies "
-    end
-
-    run_shell(command)
-  end
-
-  def is_single_project
-    shell_result = run_shell("#{GRADLE7} dependencies")
-    shell_result = run_shell("#{GRADLE6} dependencies") if !shell_result.success?
-    shell_result
-  end
-
-  def gradle_dependencies
-    dependency_metadata_regex = /-\s(?<group_id>.+):(?<artifact_id>.+):(?<version>.+)/
-    result = if @config['multi_project_build']
-               is_multi_project
-             else
-               is_single_project
-             end
-    # 'gradle dependencies' command needs to be run in the folder where buid.gradle is present.
-    if !result.success?
-      report_error("Gradle Version Not supported. Please Upgrade to gradle version 6 and above")
-      return []
-    end
+  def gradle_dependencies(path)
+    msg = "gradle.lockfile not found!"
+    raise StandardError, msg unless File.exist?(path)
 
+    dependency_metadata_regex = /(?<group_id>.+):(?<artifact_id>.+):(?<version>.+)=/
+    lockfile_content = File.read(path)
     dependencies = []
-    result.stdout.scan(dependency_metadata_regex).each do |dependency_properties|
+
+    lockfile_content.scan(dependency_metadata_regex).each do |dependency_properties|
       if dependency_properties.length < 3
         report_error("Could not parse dependency metadata #{dependency_properties}")
         next

diff --git a/lib/salus/repo.rb b/lib/salus/repo.rb
@@ -41,6 +41,7 @@ class Repo
       # Java
       { handle: :pom_xml, filename: 'pom.xml' },
       { handle: :build_gradle, filename: 'build.gradle' },
+      { handle: :build_gradle_lockfile, filename: 'gradle.lockfile' },
       # Swift
       { handle: :package_resolved, filename: 'Package.resolved' },
       # Apple Ecosystem (macOS, iOS, etc)

diff --git a/lib/salus/scanners/osv/gradle_osv.rb b/lib/salus/scanners/osv/gradle_osv.rb
@@ -12,7 +12,8 @@ class SemVersion < Gem::Version; end
         "/Maven/all.zip".freeze
 
     def should_run?
-      @repository.build_gradle_present?
+      @repository.build_gradle_present? &&
+        @repository.build_gradle_lockfile_present?
     end
 
     def self.supported_languages
@@ -21,7 +22,7 @@ def self.supported_languages
 
     def run
       # Find dependencies from the project
-      dependencies = gradle_dependencies
+      dependencies = gradle_dependencies(@repository.build_gradle_lockfile_path)
       if dependencies.empty?
         err_msg = "GradleOSV: Failed to parse any dependencies from the project."
         report_stderr(err_msg)

diff --git a/lib/salus/scanners/report_gradle_deps.rb b/lib/salus/scanners/report_gradle_deps.rb
@@ -7,7 +7,7 @@ class ReportGradleDeps < ReportBase
     include Gradle
 
     def run
-      dependencies = gradle_dependencies
+      dependencies = gradle_dependencies(@repository.build_gradle_lockfile_path)
 
       dependencies.each do |dependency|
         group_id = dependency['group_id']

diff --git a/spec/fixtures/osv/gradle_osv/failure_vulnerability_present/build.gradle b/spec/fixtures/osv/gradle_osv/failure_vulnerability_present/build.gradle
@@ -9,3 +9,9 @@ repositories {
 dependencies {
     testImplementation group: 'com.google.guava', name: 'guava', version: '30.1-jre'
 }
+
+allprojects {
+    dependencyLocking {
+        lockAllConfigurations()
+    }
+}
diff --git a/spec/fixtures/osv/gradle_osv/failure_vulnerability_present/gradle.lockfile b/spec/fixtures/osv/gradle_osv/failure_vulnerability_present/gradle.lockfile
@@ -0,0 +1,11 @@
+# This is a Gradle generated file for dependency locking.
+# Manual edits can break the build and are not advised.
+# This file is expected to be part of source control.
+com.google.code.findbugs:jsr305:3.0.2=testCompileClasspath,testRuntimeClasspath
+com.google.errorprone:error_prone_annotations:2.3.4=testCompileClasspath,testRuntimeClasspath
+com.google.guava:failureaccess:1.0.1=testCompileClasspath,testRuntimeClasspath
+com.google.guava:guava:30.1-jre=testCompileClasspath,testRuntimeClasspath
+com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=testCompileClasspath,testRuntimeClasspath
+com.google.j2objc:j2objc-annotations:1.3=testCompileClasspath,testRuntimeClasspath
+org.checkerframework:checker-qual:3.5.0=testCompileClasspath,testRuntimeClasspath
+empty=annotationProcessor,compileClasspath,runtimeClasspath,testAnnotationProcessor
diff --git a/spec/fixtures/osv/gradle_osv/no_dependency_found/build.gradle b/spec/fixtures/osv/gradle_osv/no_dependency_found/build.gradle
@@ -8,3 +8,9 @@ repositories {
 
 dependencies {
 }
+
+allprojects {
+    dependencyLocking {
+        lockAllConfigurations()
+    }
+}
diff --git a/spec/fixtures/osv/gradle_osv/no_dependency_found/gradle.lockfile b/spec/fixtures/osv/gradle_osv/no_dependency_found/gradle.lockfile
@@ -0,0 +1,4 @@
+# This is a Gradle generated file for dependency locking.
+# Manual edits can break the build and are not advised.
+# This file is expected to be part of source control.
+empty=annotationProcessor,compileClasspath,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
diff --git a/spec/fixtures/osv/gradle_osv/success_no_vulnerability/build.gradle b/spec/fixtures/osv/gradle_osv/success_no_vulnerability/build.gradle
@@ -9,3 +9,9 @@ repositories {
 dependencies {
     implementation group: 'test.test.test', name: 'sample', version: '2.6.2'
 }
+
+allprojects {
+    dependencyLocking {
+        lockAllConfigurations()
+    }
+}
diff --git a/spec/fixtures/osv/gradle_osv/success_no_vulnerability/gradle.lockfile b/spec/fixtures/osv/gradle_osv/success_no_vulnerability/gradle.lockfile
@@ -0,0 +1,5 @@
+# This is a Gradle generated file for dependency locking.
+# Manual edits can break the build and are not advised.
+# This file is expected to be part of source control.
+org.testsampledep:hello-qual:3.5.0=testCompileClasspath,testRuntimeClasspath
+empty=annotationProcessor,testAnnotationProcessor
diff --git a/spec/fixtures/osv/gradle_osv/success_resolved_dependency/gradle.lockfile b/spec/fixtures/osv/gradle_osv/success_resolved_dependency/gradle.lockfile
@@ -0,0 +1,5 @@
+# This is a Gradle generated file for dependency locking.
+# Manual edits can break the build and are not advised.
+# This file is expected to be part of source control.
+org.apache.logging.log4j:log4j-api:2.17.1=testCompileClasspath,testRuntimeClasspath
+empty=annotationProcessor,compileClasspath,runtimeClasspath,testAnnotationProcessor
diff --git a/spec/fixtures/osv/gradle_osv/success_vulnerability_present_exception_added/build.gradle b/spec/fixtures/osv/gradle_osv/success_vulnerability_present_exception_added/build.gradle
@@ -9,3 +9,9 @@ repositories {
 dependencies {
     testImplementation group: 'com.google.guava', name: 'guava', version: '30.1-jre'
 }
+
+allprojects {
+    dependencyLocking {
+        lockAllConfigurations()
+    }
+}
diff --git a/spec/fixtures/osv/gradle_osv/success_vulnerability_present_exception_added/gradle.lockfile b/spec/fixtures/osv/gradle_osv/success_vulnerability_present_exception_added/gradle.lockfile
@@ -0,0 +1,11 @@
+# This is a Gradle generated file for dependency locking.
+# Manual edits can break the build and are not advised.
+# This file is expected to be part of source control.
+com.google.code.findbugs:jsr305:3.0.2=testCompileClasspath,testRuntimeClasspath
+com.google.errorprone:error_prone_annotations:2.3.4=testCompileClasspath,testRuntimeClasspath
+com.google.guava:failureaccess:1.0.1=testCompileClasspath,testRuntimeClasspath
+com.google.guava:guava:30.1-jre=testCompileClasspath,testRuntimeClasspath
+com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=testCompileClasspath,testRuntimeClasspath
+com.google.j2objc:j2objc-annotations:1.3=testCompileClasspath,testRuntimeClasspath
+org.checkerframework:checker-qual:3.5.0=testCompileClasspath,testRuntimeClasspath
+empty=annotationProcessor,compileClasspath,runtimeClasspath,testAnnotationProcessor
diff --git a/spec/fixtures/processor/local_uri/expected_report.json b/spec/fixtures/processor/local_uri/expected_report.json
@@ -249,7 +249,7 @@
       "passed": true,
       "running_time": 1.45,
       "scanner_name": "Trufflehog",
-      "version": "3.19.0",
+      "version": "3.21.0",
       "warn": {
       }
     }

diff --git a/spec/fixtures/processor/remote_uri/expected_report.json b/spec/fixtures/processor/remote_uri/expected_report.json
@@ -249,7 +249,7 @@
       "passed": true,
       "running_time": 1.45,
       "scanner_name": "Trufflehog",
-      "version": "3.19.0",
+      "version": "3.21.0",
       "warn": {
       }
     }

diff --git a/spec/fixtures/report_gradle_deps/bad_gradle_cant_parse/build.gradle b/spec/fixtures/report_gradle_deps/bad_gradle_cant_parse/build.gradle
@@ -2,5 +2,12 @@ plugins {
     id 'java'
 }
 
+allprojects {
+    dependencyLocking {
+        lockAllConfigurations()
+    }
+}
+
 repositories {
-    mavenCentr
+    mavenCentr
+}
diff --git a/spec/fixtures/report_gradle_deps/bad_gradle_cant_parse/gradle.lockfile b/spec/fixtures/report_gradle_deps/bad_gradle_cant_parse/gradle.lockfile
@@ -0,0 +1,4 @@
+# This is a Gradle generated file for dependency locking.
+# Manual edits can break the build and are not advised.
+# This file is expected to be part of source control.
+empty=annotationProcessor,compileClasspath,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
diff --git a/spec/fixtures/report_gradle_deps/normal/build.gradle b/spec/fixtures/report_gradle_deps/normal/build.gradle
@@ -10,4 +10,10 @@ dependencies {
     implementation group: 'org.apache.kafka', name: 'connect-transforms', version: '2.6.2'
     implementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.10.5.1'
     testImplementation group: 'org.testng', name: 'testng', version: '7.4.0'
+}
+
+allprojects {
+    dependencyLocking {
+        lockAllConfigurations()
+    }
 }
diff --git a/spec/fixtures/report_gradle_deps/normal/gradle.lockfile b/spec/fixtures/report_gradle_deps/normal/gradle.lockfile
@@ -0,0 +1,18 @@
+# This is a Gradle generated file for dependency locking.
+# Manual edits can break the build and are not advised.
+# This file is expected to be part of source control.
+com.beust:jcommander:1.78=testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson.core:jackson-annotations:2.10.5=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson.core:jackson-core:2.10.5=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson.core:jackson-databind:2.10.5.1=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.github.luben:zstd-jni:1.4.4-7=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+javax.ws.rs:javax.ws.rs-api:2.1.1=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.kafka:connect-api:2.6.2=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.kafka:connect-transforms:2.6.2=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.kafka:kafka-clients:2.6.2=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.lz4:lz4-java:1.7.1=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.slf4j:slf4j-api:1.7.30=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.testng:testng:7.4.0=testCompileClasspath,testRuntimeClasspath
+org.webjars:jquery:3.5.1=testCompileClasspath,testRuntimeClasspath
+org.xerial.snappy:snappy-java:1.1.7.3=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+empty=annotationProcessor,testAnnotationProcessor
diff --git a/spec/lib/cyclonedx/report_gradle_deps_cyclonedx_spec.rb b/spec/lib/cyclonedx/report_gradle_deps_cyclonedx_spec.rb
@@ -10,7 +10,7 @@
 
       gradle_cyclonedx = Cyclonedx::ReportGradleDeps.new(scanner.report)
       components_object = gradle_cyclonedx.build_components_object
-      expect(components_object.size).to eq(61)
+      expect(components_object.size).to eq(14)
       expect(components_object).to include(
         {
           type: "library",