gradlex

package
v0.0.0-...-1a28f28 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 22, 2026 License: MIT Imports: 17 Imported by: 0

Documentation

Overview

Package gradlex provides Gradle dependency extractors for Deputy.

This package implements multiple strategies for extracting Java/Maven dependencies from Gradle projects:

  • verification-metadata.xml: Parses Gradle's dependency verification metadata
  • gradle.lockfile: Parses Gradle dependency lockfiles (handled by OSV-SCALIBR)
  • build.gradle: Static parsing of Gradle build scripts to extract declared dependencies
  • gradle.properties: Parses property files for version variable resolution
  • libs.versions.toml: Parses Gradle version catalogs

The extractors work together with the GradleResolver in internal/dependency/graph to build complete dependency graphs using deps.dev for transitive resolution.

Extraction Strategy

For Gradle projects without lockfiles, the extraction follows this process:

  1. Parse gradle.properties and build.gradle ext{} blocks for version variables
  2. Parse libs.versions.toml for version catalog definitions
  3. Parse build.gradle files to extract dependency declarations
  4. Substitute version variables to get concrete coordinates
  5. Use deps.dev GetDependencies API to resolve transitive dependencies

This approach handles most Gradle projects without requiring Gradle execution, though complex projects with programmatic dependency generation may need the sandbox-based Gradle execution fallback.

Index

Constants

View Source 
const (
	// BuildGradleName is the extractor name for build.gradle files.
	BuildGradleName = "java/buildgradle"
)
View Source 
const (
	// GradleProjectName is the extractor name for comprehensive Gradle project extraction.
	GradleProjectName = "java/gradleproject"
)
View Source 
const (
	// VerificationMetadataName is the extractor name for verification-metadata.xml files.
	VerificationMetadataName = "java/gradleverificationmetadata"
)

Variables

This section is empty.

Functions

func NewGradleProjectExtractor 

func NewGradleProjectExtractor() filesystem.Extractor

NewGradleProjectExtractor returns a new comprehensive Gradle project extractor.

func NewVerificationMetadataExtractor 

func NewVerificationMetadataExtractor() filesystem.Extractor

NewVerificationMetadataExtractor returns a new verification-metadata.xml extractor.

func ParseExtBlock 

func ParseExtBlock(content []byte) map[string]string

ParseExtBlock extracts property definitions from Gradle ext {} blocks.

func ParseGradleProperties 

func ParseGradleProperties(content []byte) map[string]string

ParseGradleProperties parses a gradle.properties file.

func RegisterBOMVersionResolver 

func RegisterBOMVersionResolver(resolver BOMVersionResolver)

RegisterBOMVersionResolver registers a BOM version resolver. This should be called by the graph package to enable BOM resolution.

Types

type BOMVersionResolver 

type BOMVersionResolver interface {
	// ResolveBOMVersions resolves versions for dependencies that are missing versions
	// by looking them up in the provided BOMs.
	ResolveBOMVersions(ctx context.Context, deps []MavenDependency, boms []GradleBOM) []MavenDependency
}

BOMVersionResolver resolves dependency versions from BOMs. This interface allows the graph package to register a resolver without creating an import cycle.

type BuildGradleExtractor 

type BuildGradleExtractor struct{}

BuildGradleExtractor extracts Maven dependencies from Gradle build scripts.

This extractor performs static analysis of build.gradle and build.gradle.kts files to identify dependency declarations. It handles common patterns including:

  • Standard dependency configurations: implementation, api, compileOnly, etc.
  • String notation: implementation "group:artifact:version"
  • Map notation: implementation group: 'g', name: 'a', version: 'v'
  • Platform/BOM imports: implementation platform("group:artifact:version")
  • Project dependencies: implementation project(":module")
  • Version variables: implementation "group:artifact:$version"

Version variables are resolved using companion files (gradle.properties, ext blocks). Unresolved variables are reported with the variable name for later resolution.

func NewBuildGradleExtractor 

func NewBuildGradleExtractor() *BuildGradleExtractor

NewBuildGradleExtractor returns a new build.gradle extractor.

func (*BuildGradleExtractor) Extract 

func (e *BuildGradleExtractor) Extract(ctx context.Context, input *filesystem.ScanInput) (inventory.Inventory, error)

Extract parses a build.gradle file and returns discovered dependencies.

func (*BuildGradleExtractor) FileRequired 

func (e *BuildGradleExtractor) FileRequired(api filesystem.FileAPI) bool

FileRequired returns true if the file is a Gradle build script.

func (*BuildGradleExtractor) Name 

func (e *BuildGradleExtractor) Name() string

Name returns the extractor name.

func (*BuildGradleExtractor) Requirements 

func (e *BuildGradleExtractor) Requirements() *plugin.Capabilities

Requirements returns the extractor's required capabilities.

func (*BuildGradleExtractor) Version 

func (e *BuildGradleExtractor) Version() int

Version returns the extractor version.

type CatalogLibrary 

type CatalogLibrary struct {
	Group   string
	Name    string
	Version string // resolved version or version.ref
}

CatalogLibrary represents a library in the version catalog.

type CatalogPlugin 

type CatalogPlugin struct {
	ID      string
	Version string
}

CatalogPlugin represents a plugin in the version catalog.

type GradleBOM 

type GradleBOM struct {
	GroupID    string
	ArtifactID string
	Version    string
	Source     string // "platform", "plugin", or "catalog"
}

GradleBOM represents a detected BOM (Bill of Materials) in a Gradle project.

func ParseBOMs 

func ParseBOMs(content []byte, props map[string]string) []GradleBOM

ParseBOMs extracts all BOMs from a build.gradle file. It detects BOMs from:

  • platform("group:artifact:version") declarations
  • enforcedPlatform("group:artifact:version") declarations
  • Known Gradle plugins (e.g., org.springframework.boot)

type GradleModule 

type GradleModule struct {
	Name         string
	Path         string
	Dependencies []MavenDependency
}

GradleModule represents a single module in a Gradle project.

type GradleProject 

type GradleProject struct {
	RootDir    string
	Settings   *GradleSettings
	Properties map[string]string
	Catalog    *VersionCatalog
	Modules    map[string]*GradleModule
}

GradleProject represents a parsed Gradle project with all its configuration.

func LoadGradleProject 

func LoadGradleProject(ctx context.Context, fsys scalibrfs.FS, rootDir string) (*GradleProject, error)

LoadGradleProject loads a complete Gradle project from a filesystem.

func (*GradleProject) AllDependencies 

func (p *GradleProject) AllDependencies() []MavenDependency

AllDependencies returns all dependencies from all modules, deduplicated.

func (*GradleProject) ResolvedDependencies 

func (p *GradleProject) ResolvedDependencies() []MavenDependency

ResolvedDependencies returns dependencies with all versions resolved. Dependencies with unresolved variables are filtered out.

type GradleProjectExtractor 

type GradleProjectExtractor struct{}

GradleProjectExtractor provides comprehensive dependency extraction for Gradle projects.

This extractor combines multiple sources of dependency information:

  • settings.gradle: Identifies multi-module projects
  • gradle.properties: Version variables
  • libs.versions.toml: Version catalog (Gradle 7+)
  • build.gradle: Dependency declarations with variable substitution
  • gradle.lockfile: Resolved dependencies (if present)
  • verification-metadata.xml: Verified dependencies (if present)

The extractor prioritizes lockfiles and verification metadata when available, falling back to static analysis of build scripts when they're not present.

func (*GradleProjectExtractor) Extract 

func (e *GradleProjectExtractor) Extract(ctx context.Context, input *filesystem.ScanInput) (inventory.Inventory, error)

Extract performs comprehensive dependency extraction for a Gradle project.

func (*GradleProjectExtractor) FileRequired 

func (e *GradleProjectExtractor) FileRequired(api filesystem.FileAPI) bool

FileRequired returns true for settings.gradle files (project root markers). This extractor triggers on the project root and then scans the entire project.

func (*GradleProjectExtractor) Name 

func (e *GradleProjectExtractor) Name() string

Name returns the extractor name.

func (*GradleProjectExtractor) Requirements 

func (e *GradleProjectExtractor) Requirements() *plugin.Capabilities

Requirements returns the extractor's required capabilities.

func (*GradleProjectExtractor) Version 

func (e *GradleProjectExtractor) Version() int

Version returns the extractor version.

type GradleSettings 

type GradleSettings struct {
	RootProjectName string
	Includes        []string
}

GradleSettings represents parsed settings.gradle content.

func ParseSettingsGradle 

func ParseSettingsGradle(content []byte) (*GradleSettings, error)

ParseSettingsGradle parses a settings.gradle file to extract project structure.

func (*GradleSettings) IsMultiModule 

func (s *GradleSettings) IsMultiModule() bool

IsMultiModule returns true if this is a multi-module project.

type MavenDependency 

type MavenDependency struct {
	GroupID    string
	ArtifactID string
	Version    string
	Scope      string
	Classifier string
	Type       string
	Optional   bool
	Exclusions []MavenExclusion
}

MavenDependency represents a Maven dependency coordinate.

func ParseBuildGradle 

func ParseBuildGradle(content []byte, props map[string]string) ([]MavenDependency, error)

ParseBuildGradle parses a build.gradle file and extracts dependencies. The props map is used for variable substitution.

func ParseVerificationMetadata 

func ParseVerificationMetadata(content []byte) ([]MavenDependency, error)

ParseVerificationMetadata parses verification-metadata.xml content and returns dependencies. This is a utility function for use outside the extractor context.

func (MavenDependency) Coordinate 

func (d MavenDependency) Coordinate() string

Coordinate returns the Maven coordinate string (groupId:artifactId:version).

func (MavenDependency) IsResolved 

func (d MavenDependency) IsResolved() bool

IsResolved returns true if the dependency has a concrete version (not a variable or range).

func (MavenDependency) Name 

func (d MavenDependency) Name() string

Name returns the Maven name (groupId:artifactId).

func (MavenDependency) PURL 

func (d MavenDependency) PURL() string

PURL returns the Package URL for this dependency.

type MavenExclusion 

type MavenExclusion struct {
	GroupID    string
	ArtifactID string
}

MavenExclusion represents an exclusion in a Maven dependency.

type MavenMetadata 

type MavenMetadata struct {
	GroupID    string
	ArtifactID string
	Classifier string
	Type       string
	Scope      string
}

MavenMetadata contains Maven-specific package metadata.

type VerificationMetadataExtractor 

type VerificationMetadataExtractor struct{}

VerificationMetadataExtractor extracts Maven packages from Gradle verification-metadata.xml files.

Gradle's dependency verification feature generates this XML file containing all resolved dependencies with their checksums. This provides a reliable source for dependency extraction as it contains the actual resolved versions (not ranges or variables).

The file is typically located at gradle/verification-metadata.xml and is generated with: 

./gradlew --write-verification-metadata sha256

func (*VerificationMetadataExtractor) Extract 

func (e *VerificationMetadataExtractor) Extract(ctx context.Context, input *filesystem.ScanInput) (inventory.Inventory, error)

Extract parses a verification-metadata.xml file and returns discovered Maven packages.

func (*VerificationMetadataExtractor) FileRequired 

func (e *VerificationMetadataExtractor) FileRequired(api filesystem.FileAPI) bool

FileRequired returns true if the file matches the verification-metadata.xml pattern. The file must be named "verification-metadata.xml" and located in a "gradle" directory.

func (*VerificationMetadataExtractor) Name 

func (e *VerificationMetadataExtractor) Name() string

Name returns the extractor name.

func (*VerificationMetadataExtractor) Requirements 

func (e *VerificationMetadataExtractor) Requirements() *plugin.Capabilities

Requirements returns the extractor's required capabilities.

func (*VerificationMetadataExtractor) Version 

func (e *VerificationMetadataExtractor) Version() int

Version returns the extractor version.

type VersionCatalog 

type VersionCatalog struct {
	Versions  map[string]string         // version aliases -> version strings
	Libraries map[string]CatalogLibrary // library aliases -> library definitions
	Bundles   map[string][]string       // bundle names -> list of library aliases
	Plugins   map[string]CatalogPlugin  // plugin aliases -> plugin definitions
}

VersionCatalog represents a parsed Gradle version catalog (libs.versions.toml).

Version catalogs are Gradle's modern way of centralizing dependency versions. They contain four sections:

  • [versions]: Version constants that can be referenced elsewhere
  • [libraries]: Dependency declarations with group, name, and version
  • [bundles]: Groups of libraries that can be added together
  • [plugins]: Gradle plugin declarations

func ParseVersionCatalog 

func ParseVersionCatalog(content []byte) (*VersionCatalog, error)

ParseVersionCatalog parses a libs.versions.toml file.

Example format: 

[versions]
kotlin = "1.9.0"
grpc = "1.58.1"

[libraries]
grpc-api = { group = "io.grpc", name = "grpc-api", version.ref = "grpc" }
kotlin-stdlib = "org.jetbrains.kotlin:kotlin-stdlib:1.9.0"

[bundles]
grpc = ["grpc-api", "grpc-stub"]

[plugins]
kotlin-jvm = { id = "org.jetbrains.kotlin.jvm", version.ref = "kotlin" }

func (*VersionCatalog) GetBundleLibraries 

func (c *VersionCatalog) GetBundleLibraries(bundleName string) []MavenDependency

GetBundleLibraries returns all libraries in a bundle.

func (*VersionCatalog) GetLibraries 

func (c *VersionCatalog) GetLibraries() []MavenDependency

GetLibraries returns all libraries with resolved versions as MavenDependencies.

func (*VersionCatalog) String 

func (c *VersionCatalog) String() string

String returns a human-readable representation of the catalog.

func (*VersionCatalog) ToProperties 

func (c *VersionCatalog) ToProperties() map[string]string

ToProperties returns version catalog versions as a properties map. This can be used to resolve version references in build.gradle files.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.