Added curation audit for gradle (jfrog#455)

Author: basel1322

commands/audit/sca/java/gradle.go

@@ -122,7 +122,6 @@ func getRemoteRepos(depsRepo string, server *config.ServerDetails) (string, stri
 	if err != nil {
 		return "", "", err
 	}
-
 	constructedDepsRepo, err := getDepTreeArtifactoryRepository(depsRepo, server)
 	if err != nil {
 		return "", "", err
@@ -136,7 +135,6 @@ func constructReleasesRemoteRepo() (string, error) {
 	if err != nil || serverId == "" || repoName == "" {
 		return "", err
 	}
-
 	releasesServer, err := config.GetSpecificConfig(serverId, false, true)
 	if err != nil {
 		return "", err
@@ -148,12 +146,12 @@ func constructReleasesRemoteRepo() (string, error) {
 }
 
 func (gdt *gradleDepTreeManager) execGradleDepTree(depTreeDir string) (outputFileContent []byte, err error) {
+
 	gradleExecPath, err := build.GetGradleExecPath(gdt.useWrapper)
 	if err != nil {
 		err = errorutils.CheckError(err)
 		return
 	}
-
 	outputFilePath := filepath.Join(depTreeDir, gradleDepTreeOutputFile)
 	tasks := []string{
 		"clean",
@@ -169,7 +167,6 @@ func (gdt *gradleDepTreeManager) execGradleDepTree(depTreeDir string) (outputFil
 	defer func() {
 		err = errors.Join(err, errorutils.CheckError(os.Remove(outputFilePath)))
 	}()
-
 	outputFileContent, err = os.ReadFile(outputFilePath)
 	err = errorutils.CheckError(err)
 	return

commands/curation/curationaudit.go

@@ -75,6 +75,7 @@ const (
 	MinArtiGolangSupport      = "7.87.0"
 	MinArtiNuGetSupport       = "7.93.0"
 	MinXrayPassThroughSupport = "3.92.0"
+	MinArtiGradlesupport      = "7.63.5"
 )
 
 var CurationOutputFormats = []string{string(outFormat.Table), string(outFormat.Json)}
@@ -93,6 +94,9 @@ var supportedTech = map[techutils.Technology]func(ca *CurationAuditCommand) (boo
 	techutils.Nuget: func(ca *CurationAuditCommand) (bool, error) {
 		return ca.checkSupportByVersionOrEnv(techutils.Nuget, MinArtiNuGetSupport)
 	},
+	techutils.Gradle: func(ca *CurationAuditCommand) (bool, error) {
+		return ca.checkSupportByVersionOrEnv(techutils.Gradle, MinArtiGradlesupport)
+	},
 }
 
 func (ca *CurationAuditCommand) checkSupportByVersionOrEnv(tech techutils.Technology, minArtiVersion string) (bool, error) {
@@ -400,6 +404,8 @@ func (ca *CurationAuditCommand) getAuditParamsByTech(tech techutils.Technology)
 			SetNpmOverwritePackageLock(true)
 	case techutils.Maven:
 		ca.AuditParams.SetIsMavenDepTreeInstalled(true)
+	case techutils.Gradle:
+		ca.AuditParams.SetIsGradleDepTreeInstalled(false)
 	}
 
 	return ca.AuditParams
@@ -908,7 +914,8 @@ func getUrlNameAndVersionByTech(tech techutils.Technology, node *xrayUtils.Graph
 		return getNpmNameScopeAndVersion(node.Id, artiUrl, repo, techutils.Npm.String())
 	case techutils.Maven:
 		return getMavenNameScopeAndVersion(node.Id, artiUrl, repo, node)
-
+	case techutils.Gradle:
+		return getGradleNameScopeAndVersion(node.Id, artiUrl, repo, node)
 	case techutils.Pip:
 		downloadUrls, name, version = getPythonNameVersion(node.Id, downloadUrlsMap)
 		return
@@ -1003,6 +1010,43 @@ func getMavenNameScopeAndVersion(id, artiUrl, repo string, node *xrayUtils.Graph
 	return downloadUrls, strings.Join(allParts[:2], ":"), "", allParts[2]
 }
 
+// Given an input containing a classifier, e.g., id: gav://org.apache.tomcat.embed:tomcat-embed-jasper:8.0.33-jdk15,
+// we parse it to extract the package name and version, then use that information to build the corresponding Artifactory download URL.
+func getGradleNameScopeAndVersion(id, artiUrl, repo string, node *xrayUtils.GraphNode) (downloadUrls []string, name, scope, version string) {
+	id = strings.TrimPrefix(id, "gav://")
+	parts := strings.Split(id, ":")
+	if len(parts) < 3 {
+		return
+	}
+
+	groupID, artifactID, version := parts[0], parts[1], parts[2]
+	nameVersion := artifactID + "-" + version
+	versionDir := version
+
+	if node != nil && node.Classifier != nil && *node.Classifier != "" {
+		classifierSuffix := "-" + *node.Classifier
+		versionDir = strings.TrimSuffix(version, classifierSuffix)
+	}
+
+	groupPath := strings.ReplaceAll(groupID, ".", "/")
+	packagePath := fmt.Sprintf("%s/%s/%s/%s", groupPath, artifactID, versionDir, nameVersion)
+	if node != nil && node.Types != nil {
+		for _, fileType := range *node.Types {
+			if fileType == "jar" {
+				jarURL := fmt.Sprintf("%s/%s/%s.jar", strings.TrimSuffix(artiUrl, "/"), repo, packagePath)
+				downloadUrls = append(downloadUrls, jarURL)
+				break
+			}
+		}
+	} else {
+		//  .jar type file by default
+		jarURL := fmt.Sprintf("%s/%s/%s.jar", strings.TrimSuffix(artiUrl, "/"), repo, packagePath)
+		downloadUrls = append(downloadUrls, jarURL)
+	}
+
+	return downloadUrls, strings.Join(parts[:2], ":"), "", parts[2]
+}
+
 // The graph holds, for each node, the component ID (xray representation)
 // from which we extract the package name, version, and construct the Artifactory download URL.
 func getNpmNameScopeAndVersion(id, artiUrl, repo, tech string) (downloadUrl []string, name, scope, version string) {

commands/curation/curationaudit_test.go

@@ -631,6 +631,63 @@ func getTestCasesForDoCurationAudit() []testCase {
 				},
 			},
 		},
+		{
+			name:          "gradle tree - one blocked package",
+			tech:          techutils.Gradle,
+			pathToProject: filepath.Join("projects", "package-managers", "gradle", "curation-project"),
+			funcToGetGoals: func(t *testing.T) []string {
+				// To ensure only the blocked package is resolved during testing, we pre-populate the cache with dependencies beforehand.
+				// Since the cache location depends on the project directory, we need to mimic that setup during the pretest build.
+				// This way, the test phase will use the same cache directory, already filled with required dependencies.
+				restoreWD := testUtils.ChangeWDWithCallback(t, "tests/testdata/projects/package-managers")
+				defer restoreWD()
+
+				curationCache, err := utils.GetCurationCacheFolderByTech(techutils.Gradle)
+				require.NoError(t, err)
+
+				return []string{
+					"gradle", "build",
+					"--build-file", "build.gradle",
+					"--gradle-user-home=" + curationCache,
+					"--no-daemon",
+				}
+			},
+			serveResources: map[string]string{
+				"build.gradle": filepath.Join("tests", "testdata", "projects", "package-managers", "gradle", "curation-project", "build.gradle"),
+			},
+			requestToFail: map[string]bool{
+				"/gradle-virtual/log4j/log4j/1.2.14/log4j-1.2.14.jar": true,
+			},
+			expectedResp: map[string]*CurationReport{
+				"com.example:curation-project:1.0.0": {
+					// Ensure packagesStatus is properly initialized, even if empty initially
+					packagesStatus: []*PackageStatus{
+						{
+							Action:            "blocked",
+							ParentName:        "log4j:log4j",
+							ParentVersion:     "1.2.14",
+							BlockedPackageUrl: "/gradle-virtual/log4j/log4j/1.2.14/log4j-1.2.14.jar",
+							PackageName:       "log4j:log4j",
+							PackageVersion:    "1.2.14",
+							BlockingReason:    "Policy violations",
+							DepRelation:       "direct",
+							PkgType:           "gradle",
+							WaiverAllowed:     false,
+							Policy: []Policy{
+								{
+									Policy:         "pol1",
+									Condition:      "cond1",
+									Explanation:    "",
+									Recommendation: "",
+								},
+							},
+						},
+					},
+					totalNumberOfPackages: 5, // Adjust the number if necessary
+				},
+			},
+			allowInsecureTls: true,
+		},
 		{
 			name:          "python tree - one blocked package",
 			tech:          techutils.Pip,
@@ -946,6 +1003,41 @@ func Test_getGoNameScopeAndVersion(t *testing.T) {
 	}
 }
 
+func Test_getGradleNameScopeAndVersion(t *testing.T) {
+	tests := []struct {
+		name             string
+		id               string
+		artiUrl          string
+		repo             string
+		node             string
+		wantDownloadUrls []string
+		wantName         string
+		wantScope        string
+		wantVersion      string
+	}{
+		{
+			name:             "Realistic package from example - log4j",
+			id:               "gav://log4j:log4j:1.2.14",
+			artiUrl:          "http://test.jfrog.io/artifactory",
+			repo:             "gradle-virtual",
+			node:             "",
+			wantDownloadUrls: []string{"http://test.jfrog.io/artifactory/gradle-virtual/log4j/log4j/1.2.14/log4j-1.2.14.jar"},
+			wantName:         "log4j:log4j",
+			wantScope:        "",
+			wantVersion:      "1.2.14",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			gotDownloadUrls, gotName, gotScope, gotVersion := getGradleNameScopeAndVersion(tt.id, tt.artiUrl, tt.repo, nil)
+			assert.Equal(t, tt.wantDownloadUrls, gotDownloadUrls, "downloadUrls mismatch")
+			assert.Equal(t, tt.wantName, gotName, "name mismatch")
+			assert.Equal(t, tt.wantScope, gotScope, "scope mismatch")
+			assert.Equal(t, tt.wantVersion, gotVersion, "version mismatch")
+		})
+	}
+}
+
 func Test_getNugetNameScopeAndVersion(t *testing.T) {
 	tests := []struct {
 		name        string

tests/testdata/projects/package-managers/gradle/curation-project/.jfrog/projects/gradle.yaml

@@ -0,0 +1,5 @@
+version: 1
+type: gradle
+resolver:
+  repo: gradle-virtual
+  serverId: test

tests/testdata/projects/package-managers/gradle/curation-project/build.gradle

@@ -0,0 +1,45 @@
+// Apply the Java plugin to add support for Java
+plugins {
+    id 'java'
+}
+
+// Set the group and version of the project
+group = 'com.example'
+version = '1.0.0'
+
+// Specify the repositories for dependencies
+repositories {
+    // Use Maven Central repository
+    //mavenCentral()
+    maven {
+        allowInsecureProtocol = true
+        url "http://localhost:8046/artifactory/gradle-virtual/"
+        credentials {
+            username = 'admin'
+            password = 'password'
+        }
+    }
+}
+
+// Declare the dependencies for the project
+dependencies {
+    // Use JUnit 4 for testing
+    testImplementation 'junit:junit:4.13.2'
+    implementation 'org.apache.commons:commons-lang3:3.12.0'
+    implementation group: 'ch.qos.logback', name: 'logback-access', version: '1.4.13'
+    implementation group: 'ch.qos.logback', name: 'logback-core', version: '1.5.4'
+    implementation 'log4j:log4j:1.2.14'
+}
+
+// Define a custom task (optional)
+task hello {
+    doLast {
+        println 'Hello, Gradle!'
+    }
+}
+
+// Specify the Java version compatibility
+java {
+    sourceCompatibility = JavaVersion.VERSION_11
+    targetCompatibility = JavaVersion.VERSION_11
+}

utils/auditbasicparams.go

@@ -37,6 +37,7 @@ type AuditParams interface {
 	SetIgnoreConfigFile(ignoreConfigFile bool) *AuditBasicParams
 	IsMavenDepTreeInstalled() bool
 	SetIsMavenDepTreeInstalled(isMavenDepTreeInstalled bool) *AuditBasicParams
+	SetIsGradleDepTreeInstalled(isGradleDepTreeInstalled bool) *AuditBasicParams
 	IsCurationCmd() bool
 	SetIsCurationCmd(bool) *AuditBasicParams
 	SetExclusions(exclusions []string) *AuditBasicParams
@@ -59,6 +60,7 @@ type AuditBasicParams struct {
 	insecureTls                      bool
 	ignoreConfigFile                 bool
 	isMavenDepTreeInstalled          bool
+	isGradleDepTreeInstalled         bool
 	isCurationCmd                    bool
 	maxTreeDepth                     string
 	pipRequirementsFile              string
@@ -258,6 +260,13 @@ func (abp *AuditBasicParams) SetIsMavenDepTreeInstalled(isMavenDepTreeInstalled
 	abp.isMavenDepTreeInstalled = isMavenDepTreeInstalled
 	return abp
 }
+func (abp *AuditBasicParams) IsGradleDepTreeInstalled() bool {
+	return abp.isGradleDepTreeInstalled
+}
+func (abp *AuditBasicParams) SetIsGradleDepTreeInstalled(isGradleDepTreeInstalled bool) *AuditBasicParams {
+	abp.isGradleDepTreeInstalled = isGradleDepTreeInstalled
+	return abp
+}
 
 func (abp *AuditBasicParams) IsCurationCmd() bool {
 	return abp.isCurationCmd