Skip to content

Gradle and SBT manifest parsers support(AST-146208)#1507

Open
cx-atish-jadhav wants to merge 17 commits into
mainfrom
feature/manifest-parser
Open

Gradle and SBT manifest parsers support(AST-146208)#1507
cx-atish-jadhav wants to merge 17 commits into
mainfrom
feature/manifest-parser

Conversation

@cx-atish-jadhav

@cx-atish-jadhav cx-atish-jadhav commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

By submitting this pull request, you agree to the terms within the Checkmarx Code of Conduct. Please review the contributing guidelines for guidance on creating high-quality pull requests.

Description

Add Gradle and SBT package manager normalization in OSS real-time scanning to enable support for these build systems.

The manifest-parser upgrade (v0.1.3) now parses Gradle and SBT manifests (build.gradle, build.sbt) in addition to Maven. However, the OSS Realtime Scanner service does not natively support Gradle and SBT package managers.

Solution: Implemented normalization logic to convert Gradle/SBT to Maven format before sending to the realtime scanner API, while preserving the original package manager metadata in the response so users see their actual build system (gradle/sbt) in results, not the normalized mvn.

Changes Made:

  • Added constants for gradle, sbt, and mvn package managers
  • Implemented dual-key map strategy in createPackageMap() for bidirectional lookup
  • Added normalization in pkgToRequest() to convert gradle/sbt → mvn for API calls
  • Preserved original PackageManager in enrichResponseWithRealtimeScannerResults() using map lookup
  • All Python packages (setup.py, poetry, etc.) normalize to 'pypi' in realtime scanner (no conversion needed)

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update

Related Issues

AST-146208

Checklist

  • I have performed a self-review of my code
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)
  • Any dependent changes have been merged and published in downstream modules
  • I have updated the CLI help for new/changed functionality in this PR (if applicable)
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used

Quality Assurance

  • Binary Size: 78 MB (no increase)
  • Linting: ✅ PASS (golangci-lint)
  • Tests: ✅ PASS (>77.7% coverage)
  • Security Scan: ✅ PASS (clean govulncheck)
  • go mod tidy: ✅ Executed

Screenshots (if applicable)

N/A

Additional Notes

Package Manager Support Matrix:

  • Gradle/SBT: Converted to Maven (realtime scanner normalization)
  • Maven: No conversion needed
  • NPM, Go, NuGet, PHP, Ruby, Dart: No conversion needed
  • Python (pypi): All formats (setup.py, poetry, pip) normalize to 'pypi' registry

Why only gradle, sbt, mvn constants?
The realtime scanner's PkgManagerMap only includes these package managers natively (plus others like npm, go, etc.). Gradle and SBT are the only ones requiring conversion logic because they're not in the scanner's supported list.

commit fc7392f
Author: Alon Rosenhek <80337069+cx-alon-rosenhek@users.noreply.github.com>
Date:   Thu Jun 18 16:57:08 2026 +0300

    chore: remove .github/workflows/dependabot-auto-merge.yml
@stepsecurity-app

Copy link
Copy Markdown
Contributor

Security Policy Alert: Actions Policy Violation

This workflow run has been blocked by StepSecurity's actions policy.

Disallowed Actions:

  • aidar-freeed/ai-codereviewer@a9a064dfa1db8c83f40ef63f6e247fa09c935ed6

To fix this issue, please modify the workflow to use only allowed actions. Contact your organization administrator to request changes to the allowed actions list if needed.

For more information, see StepSecurity's Actions Policy documentation.

@cx-atish-jadhav cx-atish-jadhav changed the title Feature/manifest parser Gradle and SBT manifest parsers support(AST-146208) Jun 29, 2026
cx-atish-jadhav and others added 3 commits June 29, 2026 18:24
Fix goconst lint warning by replacing repeated "gradle"/"sbt"/"mvn"
string literals with named constants.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
cx-anurag-dalke
cx-anurag-dalke previously approved these changes Jul 1, 2026

@cx-anurag-dalke cx-anurag-dalke left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

@cx-umesh-waghode cx-umesh-waghode left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. comments were discussed on call

@stepsecurity-app

Copy link
Copy Markdown
Contributor

Security Policy Alert: Secret Policy Violation

This workflow run has been blocked by StepSecurity's secrets policy because it accesses secrets and the workflow file differs from the default branch.

Secret references detected:

  • secrets.CX_BASE_URI at line 58
  • secrets.CX_CLIENT_ID at line 59
  • secrets.CX_CLIENT_SECRET at line 60
  • secrets.CX_BASE_AUTH_URI at line 61
  • secrets.CX_AST_USERNAME at line 62
  • secrets.CX_AST_PASSWORD at line 63
  • secrets.CX_APIKEY at line 64
  • secrets.CX_TENANT at line 65
  • secrets.CX_SCAN_SSH_KEY at line 66
  • secrets.PERSONAL_ACCESS_TOKEN at line 68
  • secrets.PROXY_USER at line 71
  • secrets.PROXY_PASSWORD at line 72
  • secrets.PR_GITLAB_TOKEN at line 77
  • secrets.PR_GITLAB_NAMESPACE at line 78
  • secrets.PR_GITLAB_REPO_NAME at line 79
  • secrets.PR_GITLAB_PROJECT_ID at line 80
  • secrets.PR_GITLAB_IID at line 81
  • secrets.AZURE_ORG at line 82
  • secrets.AZURE_PROJECT at line 83
  • secrets.AZURE_REPOS at line 84
  • secrets.AZURE_TOKEN at line 85
  • secrets.BITBUCKET_WORKSPACE at line 87
  • secrets.BITBUCKET_REPOS at line 88
  • secrets.BITBUCKET_USERNAME at line 89
  • secrets.BITBUCKET_PASSWORD at line 90
  • secrets.GITLAB_TOKEN at line 91
  • secrets.PR_BITBUCKET_TOKEN at line 93
  • secrets.DOCKER_USERNAME at line 173
  • secrets.DOCKER_PASSWORD at line 174

To approve this workflow, please add the workflows-approved label to this PR.

Note: The label must be added by someone other than the PR author (cx-atish-jadhav) or automation bots to ensure proper security review.

After the label is added, you can re-run the blocked workflow to proceed.

This workflow will be automatically approved once merged into the default branch.

For more information, see StepSecurity's Secret Exfiltration Policy documentation.

cx-anurag-dalke
cx-anurag-dalke previously approved these changes Jul 1, 2026

@cx-anurag-dalke cx-anurag-dalke left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

@cx-anurag-dalke cx-anurag-dalke self-requested a review July 1, 2026 17:01
cx-anurag-dalke
cx-anurag-dalke previously approved these changes Jul 1, 2026

@cx-anurag-dalke cx-anurag-dalke left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

@cx-anurag-dalke cx-anurag-dalke left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants