search

oss-review-toolkit / ort

A suite of tools to automate software compliance checks.
https://oss-review-toolkit.org
Apache License 2.0
1.61k stars 309 forks source link

Gradle does not return dependencies at all #9255

Closed wkl3nk closed 1 month ago

wkl3nk commented 1 month ago

Describe the bug

I use the Analyzer CLI to directly analyze a checked-out repository. I explicitly use the Gradle package manager, not GradleInspector. The repository is a simple gradle-based project with a little bit of Spring Boot.

ort --info -P ort.analyzer.enabledPackageManagers=Gradle analyze -i . -o .

The OSS Review Toolkit, version 35.0.0-029.sha.901aa9d,
built with JDK 21.0.3+9-LTS, running under Java 21.0.3.
...
Found 1 project(s) and 0 package(s) in total (not counting excluded ones).
Applied 0 curation(s) from 0 of 2 provider(s).
Resolved issues: 0 errors, 0 warnings, 0 hints.
Unresolved issues: 0 errors, 0 warnings, 0 hints.

Expected behavior

I would have expected > 60 dependencies, but I get 0.

Analysis

The Gradle plugin iterates over the gradle configurations, tries to exclude (plugin) configurations that are deprecated. Since Gradle 8.2, the configuration property resolutionAlternatives has changed to a ImmutableList, and this property can no longer be null, but instead the list can be empty. The code inside of the Gradle plugin does not reflect that change.

On the other hand, the code in the GradleInspector does reflect this change: https://github.com/oss-review-toolkit/ort/commit/1d172c9ea9bb7efa1bc1653116fea0b634fe41bc

Please hang on for a PR.

sschuberth commented 1 month ago

The Gradle plugin iterates over the gradle configurations, tries to exclude (plugin) configurations that are deprecated.

Still interesting how this can result in seeing less (or zero) dependencies. I would have assumed that if the Gradle analyzer does not exclude enough, we'd rather see too many dependencies.