search

sonatype-nexus-community / scan-gradle-plugin

Gradle plugin that scans the dependencies of a Gradle project using Sonatype platforms: OSS Index and Nexus IQ Server.
Apache License 2.0
77 stars 21 forks source link

Add dependencies to the scanned Module #65

Closed guillermo-varela closed 3 years ago

guillermo-varela commented 3 years ago

When the dependencies list is present in the module, a <dependencies> entry is added in the scan XML file generated by IQ libraries:

<dependencies>
  <dep id="org.apache.commons:commons-math3:3.6.1" direct="true"/>
  <dep id="com.google.guava:guava:27.0.1-jre" direct="true"/>
  <dep id="org.springframework.boot:spring-boot-starter-web:1.0.0.RELEASE" direct="true">
    <dep id="org.springframework.boot:spring-boot-autoconfigure:1.0.0.RELEASE"/>
    ...
  </dep>
</dependencies>

Setup for demo

Scanning gradle-consumer before this PR

Screen Shot 2021-02-18 at 10 01 28 PM

gradle-producer is shown as an unknown component and all transitive dependencies are blended together.

Scanning gradle-consumer after this PR

Screen Shot 2021-02-18 at 10 02 47 PM

gradle-producer is shown as a known InnerSource component and the transitive dependencies it brings are grouped below this component to differentiate them from the ones related to gradle-consumer.

cc @bhamail / @DarthHater / @shaikhu

kakumara commented 3 years ago

What about the <Project> tag? see this for example for multi-module https://github.com/sonatype/hosted-data-services/blob/e24efe26182a5022ccbc61ad5447cbf8f3115555/insight-scan-processor/src/test/resources/scandata/ApplicationScanProcessorTest/scan-dep-graph-multi-module.xml#L33

kakumara commented 3 years ago

I believe you need to create a ModuleScanRequest somewhere ? https://github.com/sonatype/clm-maven-plugin/blob/98c90e5d1f12a0b3a1d414602304d819cc895bd9/clm-maven-plugin/src/main/java/com/sonatype/insight/maven/AbstractClmScanMojo.java#L80

guillermo-varela commented 3 years ago

I believe you need to create a ModuleScanRequest somewhere ? https://github.com/sonatype/clm-maven-plugin/blob/98c90e5d1f12a0b3a1d414602304d819cc895bd9/clm-maven-plugin/src/main/java/com/sonatype/insight/maven/AbstractClmScanMojo.java#L80

This plugin uses nexus-java-api which creates a ModuleScanRequest instance internally based on the list of modules passed as param:

https://github.com/sonatype/nexus-java-api/blob/0f0191895c29bfe6c1fa0672ba7617a277b178bd/api/src/main/java/com/sonatype/nexus/api/iq/scan/Scanner.java#L156-L157

guillermo-varela commented 3 years ago

What about the <Project> tag? see this for example for multi-module https://github.com/sonatype/hosted-data-services/blob/e24efe26182a5022ccbc61ad5447cbf8f3115555/insight-scan-processor/src/test/resources/scandata/ApplicationScanProcessorTest/scan-dep-graph-multi-module.xml#L33

nexus-java-api already handles that case for multi-module projects

Screen Shot 2021-02-04 at 11 50 24 AM