Gradle and SBT manifest parsers support(AST-146208)#1507
Gradle and SBT manifest parsers support(AST-146208)#1507cx-atish-jadhav wants to merge 17 commits into
Conversation
# Conflicts: # go.mod
commit fc7392f Author: Alon Rosenhek <80337069+cx-alon-rosenhek@users.noreply.github.com> Date: Thu Jun 18 16:57:08 2026 +0300 chore: remove .github/workflows/dependabot-auto-merge.yml
Security Policy Alert: Actions Policy ViolationThis workflow run has been blocked by StepSecurity's actions policy. Disallowed Actions:
To fix this issue, please modify the workflow to use only allowed actions. Contact your organization administrator to request changes to the allowed actions list if needed. For more information, see StepSecurity's Actions Policy documentation. |
Fix goconst lint warning by replacing repeated "gradle"/"sbt"/"mvn" string literals with named constants. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
cx-umesh-waghode
left a comment
There was a problem hiding this comment.
Looks good. comments were discussed on call
58ce531
Security Policy Alert: Secret Policy ViolationThis workflow run has been blocked by StepSecurity's secrets policy because it accesses secrets and the workflow file differs from the default branch. Secret references detected:
To approve this workflow, please add the Note: The label must be added by someone other than the PR author (cx-atish-jadhav) or automation bots to ensure proper security review. After the label is added, you can re-run the blocked workflow to proceed. This workflow will be automatically approved once merged into the default branch. For more information, see StepSecurity's Secret Exfiltration Policy documentation. |
By submitting this pull request, you agree to the terms within the Checkmarx Code of Conduct. Please review the contributing guidelines for guidance on creating high-quality pull requests.
Description
Add Gradle and SBT package manager normalization in OSS real-time scanning to enable support for these build systems.
The manifest-parser upgrade (v0.1.3) now parses Gradle and SBT manifests (build.gradle, build.sbt) in addition to Maven. However, the OSS Realtime Scanner service does not natively support Gradle and SBT package managers.
Solution: Implemented normalization logic to convert Gradle/SBT to Maven format before sending to the realtime scanner API, while preserving the original package manager metadata in the response so users see their actual build system (gradle/sbt) in results, not the normalized mvn.
Changes Made:
createPackageMap()for bidirectional lookuppkgToRequest()to convert gradle/sbt → mvn for API callsenrichResponseWithRealtimeScannerResults()using map lookupType of Change
Related Issues
AST-146208
Checklist
Quality Assurance
Screenshots (if applicable)
N/A
Additional Notes
Package Manager Support Matrix:
Why only gradle, sbt, mvn constants?
The realtime scanner's PkgManagerMap only includes these package managers natively (plus others like npm, go, etc.). Gradle and SBT are the only ones requiring conversion logic because they're not in the scanner's supported list.