Updated gradle-dep-tree plugin and added support for the included builds param

Author: michaelm-jf

cli/docs/flags.go

@@ -7,6 +7,7 @@ import (
 	"github.com/jfrog/jfrog-cli-core/v2/common/cliutils"
 	pluginsCommon "github.com/jfrog/jfrog-cli-core/v2/plugins/common"
 	"github.com/jfrog/jfrog-cli-core/v2/plugins/components"
+
 	"github.com/jfrog/jfrog-cli-security/commands/git/contributors"
 	"github.com/jfrog/jfrog-cli-security/commands/xray/offlineupdate"
 	"github.com/jfrog/jfrog-cli-security/utils"
@@ -71,15 +72,16 @@ const (
 	InsecureTls = "insecure-tls"
 
 	// Generic command flags
-	SpecFlag    = "spec"
-	Threads     = "threads"
-	Recursive   = "recursive"
-	RegexpFlag  = "regexp"
-	AntFlag     = "ant"
-	Project     = "project"
-	Exclusions  = "exclusions"
-	IncludeDirs = "include-dirs"
-	UseWrapper  = "use-wrapper"
+	SpecFlag          = "spec"
+	Threads           = "threads"
+	Recursive         = "recursive"
+	RegexpFlag        = "regexp"
+	AntFlag           = "ant"
+	Project           = "project"
+	Exclusions        = "exclusions"
+	IncludeDirs       = "include-dirs"
+	UseWrapper        = "use-wrapper"
+	UseIncludedBuilds = "use-included-builds"
 )
 
 const (

cli/scancommands.go

@@ -17,6 +17,7 @@ import (
 	"github.com/jfrog/jfrog-cli-core/v2/plugins/components"
 	coreConfig "github.com/jfrog/jfrog-cli-core/v2/utils/config"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
+
 	flags "github.com/jfrog/jfrog-cli-security/cli/docs"
 	auditSpecificDocs "github.com/jfrog/jfrog-cli-security/cli/docs/auditspecific"
 	enrichDocs "github.com/jfrog/jfrog-cli-security/cli/docs/enrich"
@@ -28,14 +29,15 @@ import (
 	scanDocs "github.com/jfrog/jfrog-cli-security/cli/docs/scan/scan"
 	uploadCdxDocs "github.com/jfrog/jfrog-cli-security/cli/docs/upload"
 
+	"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
+	"github.com/jfrog/jfrog-client-go/utils/log"
+	"github.com/urfave/cli"
+
 	"github.com/jfrog/jfrog-cli-security/commands/enrich"
 	"github.com/jfrog/jfrog-cli-security/commands/source_mcp"
 	"github.com/jfrog/jfrog-cli-security/jas"
 	"github.com/jfrog/jfrog-cli-security/sca/bom/indexer"
 	"github.com/jfrog/jfrog-cli-security/utils/xray"
-	"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
-	"github.com/jfrog/jfrog-client-go/utils/log"
-	"github.com/urfave/cli"
 
 	"github.com/jfrog/jfrog-cli-security/commands/audit"
 	"github.com/jfrog/jfrog-cli-security/commands/curation"
@@ -491,7 +493,8 @@ func CreateAuditCmd(c *components.Context) (string, string, *coreConfig.ServerDe
 		SetNpmScope(c.GetStringFlagValue(flags.DepType)).
 		SetPipRequirementsFile(c.GetStringFlagValue(flags.RequirementsFile)).
 		SetMaxTreeDepth(c.GetStringFlagValue(flags.MaxTreeDepth)).
-		SetExclusions(pluginsCommon.GetStringsArrFlagValue(c, flags.Exclusions))
+		SetExclusions(pluginsCommon.GetStringsArrFlagValue(c, flags.Exclusions)).
+		SetUseIncludedBuilds(c.GetBoolFlagValue(flags.UseIncludedBuilds))
 	return xrayVersion, xscVersion, serverDetails, auditCmd, err
 }
 

commands/audit/auditparams.go

@@ -3,6 +3,8 @@ package audit
 import (
 	"time"
 
+	"github.com/jfrog/jfrog-client-go/xray/services"
+
 	"github.com/jfrog/jfrog-cli-security/sca/bom"
 	"github.com/jfrog/jfrog-cli-security/sca/bom/buildinfo"
 	"github.com/jfrog/jfrog-cli-security/sca/bom/buildinfo/technologies"
@@ -12,7 +14,6 @@ import (
 	"github.com/jfrog/jfrog-cli-security/utils/severityutils"
 	"github.com/jfrog/jfrog-cli-security/utils/techutils"
 	"github.com/jfrog/jfrog-cli-security/utils/xray/scangraph"
-	"github.com/jfrog/jfrog-client-go/xray/services"
 )
 
 type AuditParams struct {
@@ -206,7 +207,8 @@ func (params *AuditParams) ToBuildInfoBomGenParams() (bomParams technologies.Bui
 		// Python params
 		PipRequirementsFile: params.PipRequirementsFile(),
 		// Pnpm params
-		MaxTreeDepth: params.MaxTreeDepth(),
+		MaxTreeDepth:      params.MaxTreeDepth(),
+		UseIncludedBuilds: params.UseIncludedBuilds(),
 	}
 	return
 }

sca/bom/buildinfo/buildinfobom.go

@@ -195,6 +195,7 @@ func GetTechDependencyTree(params technologies.BuildInfoBomGeneratorParams, arti
 			UseWrapper:              params.UseWrapper,
 			IsCurationCmd:           params.IsCurationCmd,
 			CurationCacheFolder:     curationCacheFolder,
+			UseIncludedBuilds:       params.UseIncludedBuilds,
 		}, tech)
 	case techutils.Npm:
 		depTreeResult.FullDepTrees, uniqueDepsIds, err = npm.BuildDependencyTree(params)

sca/bom/buildinfo/technologies/common.go

@@ -10,17 +10,18 @@ import (
 	buildInfoUtils "github.com/jfrog/build-info-go/utils"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/config"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/tests"
-	"github.com/jfrog/jfrog-cli-security/utils"
-	"github.com/jfrog/jfrog-cli-security/utils/techutils"
-	"github.com/jfrog/jfrog-cli-security/utils/xray"
-	"github.com/jfrog/jfrog-cli-security/utils/xray/scangraph"
 	"github.com/jfrog/jfrog-client-go/artifactory/services/fspatterns"
 	clientutils "github.com/jfrog/jfrog-client-go/utils"
 	"github.com/jfrog/jfrog-client-go/utils/errorutils"
 	ioUtils "github.com/jfrog/jfrog-client-go/utils/io"
 	"github.com/jfrog/jfrog-client-go/utils/log"
 	"github.com/jfrog/jfrog-client-go/xray/services"
 	xscservices "github.com/jfrog/jfrog-client-go/xsc/services"
+
+	"github.com/jfrog/jfrog-cli-security/utils"
+	"github.com/jfrog/jfrog-cli-security/utils/techutils"
+	"github.com/jfrog/jfrog-cli-security/utils/xray"
+	"github.com/jfrog/jfrog-cli-security/utils/xray/scangraph"
 )
 
 const (
@@ -57,7 +58,8 @@ type BuildInfoBomGeneratorParams struct {
 	NpmIgnoreNodeModules    bool
 	NpmOverwritePackageLock bool
 	// Pnpm params
-	MaxTreeDepth string
+	MaxTreeDepth      string
+	UseIncludedBuilds bool
 }
 
 func (bbp *BuildInfoBomGeneratorParams) SetNpmScope(depType string) *BuildInfoBomGeneratorParams {

sca/bom/buildinfo/technologies/java/deptreemanager.go

@@ -31,16 +31,18 @@ type DepTreeParams struct {
 	IsMavenDepTreeInstalled bool
 	IsCurationCmd           bool
 	CurationCacheFolder     string
+	UseIncludedBuilds       bool
 }
 
 type DepTreeManager struct {
-	server     *config.ServerDetails
-	depsRepo   string
-	useWrapper bool
+	server            *config.ServerDetails
+	depsRepo          string
+	useWrapper        bool
+	useIncludedBuilds bool
 }
 
 func NewDepTreeManager(params *DepTreeParams) DepTreeManager {
-	return DepTreeManager{useWrapper: params.UseWrapper, depsRepo: params.DepsRepo, server: params.Server}
+	return DepTreeManager{useWrapper: params.UseWrapper, depsRepo: params.DepsRepo, server: params.Server, useIncludedBuilds: params.UseIncludedBuilds}
 }
 
 // The structure of a dependency tree of a module in a Gradle/Maven project, as created by the gradle-dep-tree and maven-dep-tree plugins.
@@ -78,10 +80,13 @@ func GetModuleTreeAndDependencies(module *moduleDepTree) (*xrayUtils.GraphNode,
 			childId := GavPackageTypeIdentifier + childName
 			childrenList = append(childrenList, childId)
 		}
+
 		moduleTreeMap[dependencyId] = xray.DepTreeNode{
-			Classifier: dependency.Classifier,
-			Types:      dependency.Types,
-			Children:   childrenList,
+			Classifier:     dependency.Classifier,
+			Types:          dependency.Types,
+			Children:       childrenList,
+			Unresolved:     dependency.Unresolved,
+			Configurations: dependency.Configurations,
 		}
 	}
 	return xray.BuildXrayDependencyTree(moduleTreeMap, GavPackageTypeIdentifier+module.Root)

sca/bom/buildinfo/technologies/java/gradle.go

@@ -159,7 +159,8 @@ func (gdt *gradleDepTreeManager) execGradleDepTree(depTreeDir string) (outputFil
 		"-q",
 		gradleNoCacheFlag,
 		fmt.Sprintf("-Dcom.jfrog.depsTreeOutputFile=%s", outputFilePath),
-		"-Dcom.jfrog.includeAllBuildFiles=true"}
+		"-Dcom.jfrog.includeAllBuildFiles=true",
+		fmt.Sprintf("-Dcom.jfrog.includeIncludedBuilds=%t", gdt.useIncludedBuilds)}
 	log.Info("Running gradle deps tree command:", gradleExecPath, strings.Join(tasks, " "))
 	if output, err := exec.Command(gradleExecPath, tasks...).CombinedOutput(); err != nil {
 		return nil, errorutils.CheckErrorf("error running gradle-dep-tree: %s\n%s", err.Error(), string(output))

sca/bom/buildinfo/technologies/java/resources/gradle-dep-tree.jar

@@ -78,6 +78,7 @@ type AuditBasicParams struct {
 	xrayVersion                      string
 	xscVersion                       string
 	configProfile                    *xscservices.ConfigProfile
+	useIncludedBuilds                bool
 }
 
 func (abp *AuditBasicParams) DirectDependencies() *[]string {
@@ -136,6 +137,13 @@ func (abp *AuditBasicParams) SetMaxTreeDepth(maxTreeDepth string) *AuditBasicPar
 	return abp
 }
 
+func (abp *AuditBasicParams) UseIncludedBuilds() bool { return abp.useIncludedBuilds }
+
+func (abp *AuditBasicParams) SetUseIncludedBuilds(useIncludedBuilds bool) *AuditBasicParams {
+	abp.useIncludedBuilds = useIncludedBuilds
+	return abp
+}
+
 func (abp *AuditBasicParams) PipRequirementsFile() string {
 	return abp.pipRequirementsFile
 }

utils/auditbasicparams.go

@@ -7,19 +7,23 @@ import (
 const MaxUniqueAppearances = 10
 
 type DepTreeNode struct {
-	Classifier *string   `json:"classifier"`
-	Types      *[]string `json:"types"`
-	Children   []string  `json:"children"`
+	Classifier     *string   `json:"classifier"`
+	Types          *[]string `json:"types"`
+	Children       []string  `json:"children"`
+	Unresolved     bool      `json:"unresolved,omitempty"`
+	Configurations *[]string `json:"configurations,omitempty"`
 }
 
 func toNodeTypesMap(depMap map[string]DepTreeNode) map[string]*DepTreeNode {
 	mapOfTypes := map[string]*DepTreeNode{}
 	for nodId, value := range depMap {
 		mapOfTypes[nodId] = nil
-		if value.Types != nil || value.Classifier != nil {
+		if value.Types != nil || value.Classifier != nil || value.Configurations != nil {
 			mapOfTypes[nodId] = &DepTreeNode{
-				Classifier: value.Classifier,
-				Types:      value.Types,
+				Classifier:     value.Classifier,
+				Types:          value.Types,
+				Configurations: value.Configurations,
+				Unresolved:     value.Unresolved,
 			}
 		}
 	}