Dependency graph support for Gradle

[vaibhawk-kr]

Is there any corresponding issue for the dependency graph support for Gradle?

I was following it on the archived repo and not sure if any progress happened on the same.
I am even thinking to switching to use maven if it’s not happening soon.

Please share your recommendation.

[jhutchings1]

Since build.gradle files are turing complete, our usual approach for static analysis of the files doesn't work. We've been working on this new API for dependency submission so that Gradle can submit their dependencies directly. Keep an eye on that issue for more information.

[big-andy-coates]

QQ: If submitting dependencies using the new API it looks like I'll see security alerts (yay!), however, would it also power Dependabot's dependency update PRs? I'm guessing not. Which would mean I still need still fall fowl of issues like dependabot/dependabot-core#4762 (Boo!).

Great work though :)

[jhutchings1]

QQ: If submitting dependencies using the new API it looks like I'll see security alerts (yay!), however, would it also power Dependabot's dependency update PRs? I'm guessing not. Which would mean I still need still fall fowl of issues like dependabot/dependabot-core#4762 (Boo!).

Those are separate codebases, so no help there. Sorry about that!

[mikepenz]

Given the launch of the linked Dependency Submission API, we've built a GitHub action making use of gradles dependencies API to retrieve and post all dependencies. This follows a similar approach to the go-dependency-submission plugin published by the Github team. You can find more information here: Gradle Dependency Submission Action

[tbruyelle]

Does this github action also populate the dependents tab of the dependency graph ?

[mikepenz]

Sadly, this seems not to be controlled via the dependency submission API.

[lbergelson]

This is a great idea! We need to be able to also specify what are artifacts are produced as well though. Finding who depends on you is probably more useful than finding who you depend on.

[big-andy-coates]

Am I right in thinking that this new dependency submission API will enable Dependabot security alerts for vulnerabilities in their dependencies?

@jhutchings1 is there any intent for Github to release support for Gradle using this new API, or is the intent for the community to do this, (i.e. @mikepenz's action)?

I'm particularly interesting in receiving alerts from Dependabot when a projects direct or transitive dependencies have known vulnerabilities.

I find it strange that Dependabot is capable of updating Gradle dependency versions, and as part of that it determines what the current dependencies and their versions are, yet is not able to alert if there is known vulnerabilities in those dependencies.

Or is it just the case that the Gradle support for Dependabot is using this new API, and its just the security alert part that is missing?

[jhutchings1]

Am I right in thinking that this new dependency submission API will enable Dependabot security alerts for vulnerabilities in their dependencies?

Yep!

@jhutchings1 is there any intent for Github to release support for Gradle using this new API, or is the intent for the community to do this, (i.e. @mikepenz's action)?

GitHub isn't planning to build an Action for this ourselves. We recommend that folks use @mikepenz 's action for alerts. Gradle started work on their own extractor about a year ago, but it's not complete yet. @pioterj may be able to provide an ETA on this.

I find it strange that Dependabot is capable of updating Gradle dependency versions, and as part of that it determines what the current dependencies and their versions are, yet is not able to alert if there is known vulnerabilities in those dependencies.
Or is it just the case that the Gradle support for Dependabot is using this new API, and its just the security alert part that is missing?

The Dependabot updater for Gradle is a separate codebase. While it works for simpler build.gradle files, Gradle supports many options that it does not understand. We haven't used that for generic dependency scanning and Dependabot alerts because we don't think it's sufficiently comprehensive.

[pioterj]

We are working on this now and will provide updates on our public roadmap: gradle/build-tool-roadmap#42 cc @bigdaz

[osiegmar]

Another idea would be to add the functionality directly to Gradle‘s build action: gradle/gradle-build-action#449

[big-andy-coates]

I wonder if Gradle's action could be used to avoid issues with Dependabot not respecting maven inclusion / exclusion rules when raising dependency update PRs...