Add support for Gradle version catalog dependencies#4704
Add support for Gradle version catalog dependencies#4704Kaushik-Kumar-CEG wants to merge 1 commit intoaboutcode-org:developfrom
Conversation
|
@pombredanne @AyanSinhaMahapatra |
AyanSinhaMahapatra
left a comment
AyanSinhaMahapatra
left a comment
There was a problem hiding this comment.
@Kaushik-Kumar-CEG thanks, see comments for your consideration.
| 'version': version | ||
| } | ||
| return alias_map | ||
| except Exception as e: |
There was a problem hiding this comment.
Exception handling is present upstream in the package plugin as generic catchalls for failure to parse so this is not required.
There was a problem hiding this comment.
Removed the try/except block, letting exceptions propagate to the upstream catchall
| if os.path.exists(loc): | ||
| catalog_path = loc | ||
| break | ||
| if not catalog_path: |
There was a problem hiding this comment.
Could you have spaces between blocks of code, improves readability.
There was a problem hiding this comment.
added blank lines between logical blocks and ensured proper spacing
| 'scope': dep.get('scope', '') | ||
| }) | ||
| # Skip if not found in catalog - prevents incomplete PURLs | ||
| continue |
There was a problem hiding this comment.
Not sure if I want to ignore these altogether, I still want to have these as before, shows something is wrong instead of ignoring silently.
There was a problem hiding this comment.
changed the logic so unresolved catalog references are kept as is instead of being silently dropped. Only resolved ones get replaced now
| "is_optional": false, | ||
| "is_pinned": true, | ||
| "is_direct": true, | ||
| "resolved_package": {}, |
There was a problem hiding this comment.
We want to create a resolved_package for pinned requirements.
There was a problem hiding this comment.
added resolved_package for all pinned dependencies. This follows the same pattern used in the npm and nuget handlers.also this adds ~45 lines of PackageData per pinned dep in every expected JSON fixture, which is why the diff looks large (~2800 lines are just regenerated test fixtures)
| @@ -0,0 +1,12 @@ | |||
| [versions] | |||
There was a problem hiding this comment.
Can you add the link to this file as a comment here?
We need to know the source
Could you also add another real example?
There was a problem hiding this comment.
added source links to both the build.gradle and libs.versions.toml files. also added a second test case from nicbell/material-lists — a real Groovy project that uses version catalogs with the module syntax format. and added support for that TOML format as well
fixes aboutcode-org#4521 - Parse gradle/libs.versions.toml for version catalog dependencies - Support both group/name dict and module string TOML formats - Add resolved_package for pinned dependencies - Keep unresolved catalog references visible instead of silently skipping - Add test fixtures from F-Droid client and nicbell/material-lists - Remove dead DEPENDENCY-5 handler code Signed-off-by: Kaushik <kaushikrjpm10@gmail.com>
Kaushik-Kumar-CEG
force-pushed
the
fix-gradle-version-catalog-4521
branch
from
e94ee2e to
c4279ac
Compare
|
@AyanSinhaMahapatra |
2 participants
fixes #4521
The Issue
The current Gradle parser reports incomplete Maven PURLs (e.g.,
pkg:maven/androidx) when scanningbuild.gradlefiles that use modern Gradle version catalog references (likelibs.androidx.appcompat).The Approach
This PR adds support for parsing
gradle/libs.versions.tomlto dynamically resolve version catalog aliases into full, accurate Maven coordinates.DEPENDENCY-VERSION-CATALOGrule to matchlibs.x.y.zpatterns in the existingpygmarsparserparse_version_catalog()to locate, read, and parse TOML catalog filesget_dependencies()to intercept and resolve these catalog references during extraction to generate complete PURLsBefore Fix:
After Fix:
Verification
fdroid-version-catalog) including a samplelibs.versions.tomland expected JSON output.