Skip to content

Detect and collect dependencies from gradle cache #3579

Open
#4808
Open
Detect and collect dependencies from gradle cache#3579
#4808
Labels
good first issuepackage scan
@pombredanne

Description

@pombredanne
pombredanne
opened on Nov 11, 2023

Gradle maintains a build cache with a trove of package origins. This may not be super useful for a regular codebase scan, but is a great way to collect PURLs for indexing prior to matching.

There is a .module JSON file store in a path like this:
gradle|.gradle/modules-2/files-2.1/maven dotted groupid, like "io.spring.gradle"/maven artifactid like "dependency-management-plugin"/version like 1.1.3/SHA1 of artifact like 3209385654a7e661d68de95a5ea8fc11d8ce015e/<name>-<version>.module like in dependency-management-plugin-1.1.3.module

And that looks like that:

{
  "formatVersion": "1.1",
  "component": {
    "group": "com.google.android.material",
    "module": "material",
    "version": "1.9.0",
    "attributes": {
      "org.gradle.status": "release"
    }
  },
  "createdBy": {
    "gradle": {
      "version": "7.3.3"
    }
  },
  "variants": [
    {
      "name": "releaseVariantReleaseApiPublication",
      "attributes": {
        "org.gradle.category": "library",
        "org.gradle.dependency.bundling": "external",
        "org.gradle.libraryelements": "aar",
        "org.gradle.usage": "java-api"
      },
      "dependencies": [
        {
          "group": "androidx.annotation",
          "module": "annotation",
          "version": {
            "requires": "1.2.0"
          }
        },
        {
          "group": "androidx.appcompat",
          "module": "appcompat",
          "version": {
            "requires": "1.5.0"
          }
        },
        {
          "group": "androidx.cardview",
          "module": "cardview",
          "version": {
            "requires": "1.0.0"
          }
        },
        {
          "group": "androidx.coordinatorlayout",
          "module": "coordinatorlayout",
          "version": {
            "requires": "1.1.0"
          }
        },
        {
          "group": "androidx.constraintlayout",
          "module": "constraintlayout",
          "version": {
            "requires": "2.0.1"
          }
        },
........
        }
      ],
      "files": [
        {
          "name": "material-1.9.0.aar",
          "url": "material-1.9.0.aar",
          "size": 2202178,
          "sha512": "7630aacb9e3073b2064397ed080b8d5bf7db06ba2022d6c927e05b7d53c5787d8153cd4a0360c36d52a79a7361e0b87f9d5fe856caf5ce5e7a89a9f30d9c7cce",
          "sha256": "6cc2359979269e4d9eddce7d84682d2bb06a35a14edce806bf0da6e8d4d31806",
          "sha1": "08f4a93a381be223a5bbaacd46eaab92381ab6a8",
          "md5": "3287103cfb083fb998a35ef8a1983c58"
        }
      ]
    },
    {
      "name": "releaseVariantReleaseRuntimePublication",
      "attributes": {
        "org.gradle.category": "library",
        "org.gradle.dependency.bundling": "external",
        "org.gradle.libraryelements": "aar",
        "org.gradle.usage": "java-runtime"
      },
      "dependencies": [
        {
          "group": "com.google.errorprone",
          "module": "error_prone_annotations",
          "version": {
            "requires": "2.15.0"
          }
        },
        {
          "group": "androidx.annotation",
          "module": "annotation",
          "version": {
            "requires": "1.2.0"
          }
        },
        {
.................

See also:

See examples of these at:

Metadata

Metadata

Assignees

No one assigned

    Labels

    good first issuepackage scan

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions