Introduce a Gradle inspector #6782
Merged
Commits on Mar 31, 2023
-
fix(PackageManager): Default to only enabled managers
This is a fixup for 38db2a5. Signed-off-by: Sebastian Schuberth <[email protected]>
Commits on Apr 3, 2023
-
feat(package-managers): Add beginnings of a Gradle inspector
Start a novel approach based on a stand-alone Gradle plugin (written in Kotlin) to analyze Gradle projects. The goal is to address shortcomings of the current implementation: - The `init.gradle` script cannot be debugged (only `buildSrc` and stand-alone plugins can [1]). - The dynamically typed Groovy code is hard to maintain. - Analysis of modern Android apps throws exceptions due to ambiguous configuration / variant selection. - Binary artifacts are unnecessarily resolved. - Maven is used to resolve metadata about artifacts, imitating Gradle's resolution logic / repositories to query. At this stage the analysis only builds up the dependency tree to limit the complexity of this initial implementation. Parsing of package metadata will be added in follow-up changes. Also, the new `GradleInspector` plugin is disabled by default for now to not interfere with the existing `Gradle` plugin. Resolves #6158. [1]: https://docs.gradle.org/current/userguide/troubleshooting.html#sec:troubleshooting_build_logic Signed-off-by: Sebastian Schuberth <[email protected]>
-
feat(gradle-inspector): Parse package metadata from Maven POMs
Explicitly resolve parent POMs to ensure they are available as XML files in the Gradle cache. Based on that, build the effective POMs for all dependencies in order to parse package metadata from them. As the POMs are retrieved from the Gradle cache, no download via Maven is involved. Note that the Maven-model-specific code is mostly based on code from `MavenSupport`, adjusted to work with slightly different classes. Signed-off-by: Sebastian Schuberth <[email protected]>
-
feat(gradle-inspector): Create remote artifacts for packages
Create remote artifacts based on the POM URLs. The hashes for the artifacts are retrieved from the respective accompanying text files, without downloading the artifact itself. Note that this approach will fail for private Maven repository even if Gradle is configured with the credentials, as this download happens directly via OkHttp. Signed-off-by: Sebastian Schuberth <[email protected]>
-
feat(OrtModelBuilder): Ignore Android dependencies metadata configura…
…tions For these configurations often Gradle itself has resolution failures. As their sole purpose is to describe the dependencies that are compiled into an Android app, just ignore them as that is what ORT itself analyzes. Signed-off-by: Sebastian Schuberth <[email protected]>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.