Open tardyp opened 2 years ago
@tardyp note that I have done quite a bit of research on how to parse gradle builds at least the Groovy kind, and we could likely consider the Kotlin kind too
@pombredanne That particular request is about nebula kind of package locks.
nebula looks like the poetry of gradle. Cool kids use it instead of the default gradle pinning method. I don't think it is really about kotlin, but just as Poetry.lock is another file format as requirement.txt or Pipfile.lock.
Big advantage I see is that it is a lockfile and there is no need to run the gradle toolchain to extract the info. It is just a json file.
@tardyp FYI @JonoYang is contributing some support for gradle in #2822
I think we should also support first the standard Gradle lockfile: https://docs.gradle.org/current/userguide/dependency_locking.html
gradle.lockfile
and buildscript-gradle.lockfile`Each line still represents a single dependency in the group:artifact:version notation It then lists all configurations that contain the given dependency Module and configurations are ordered alphabetically, to ease diffs The last line of the file lists all empty configurations, that is configurations known to have no dependencies
# This is a Gradle generated file for dependency locking.
# Manual edits can break the build and are not advised.
# This file is expected to be part of source control.
org.springframework:spring-beans:5.0.5.RELEASE=compileClasspath, runtimeClasspath
org.springframework:spring-core:5.0.5.RELEASE=compileClasspath, runtimeClasspath
org.springframework:spring-jcl:5.0.5.RELEASE=compileClasspath, runtimeClasspath
empty=annotationProcessor
Indeed... FWIW on my side we did not implement nebula after learning that Nebula is not anymore supported in more recent version of Android (as I was told).
We currently generate the dependency tree manually at project milestones :( Good news that gradle now has standard dependency locking, I will ping my devs if they can use that.
I think we should also support first the standard Gradle lockfile: https://docs.gradle.org/current/userguide/dependency_locking.html
Indeed. I believe this should be closed in favor of only supporting the Gradle built-in dependency locking mechanism.
Short Description
gradle is a build tool for the ajva ecosystem especially popular in android apps.
nebula gradle dependency lock allows developer to lock their gradle dependencies and sub dependencies to specific versions packagecode should be able to parse this simple information
Possible Labels
Select Category
Describe the Update
lock format is documented here:
https://github.com/nebula-plugins/gradle-dependency-lock-plugin/wiki/Usage#lock-file-format
It is a simple json format that clearly shows the packages and versions. Should be quite easy to parse
How This Feature will help you/your organization
This will have using scancode to extract our gradle dependencies.
Possible Solution/Implementation Details
Example/Links if Any
Can you help with this Feature
Renault will probably contribute this feature in the next month