Skip to content

Commit

Permalink
Allow configuring snyk target reference and lifecycle properties (ela…
Browse files Browse the repository at this point in the history 
…stic#88220)

We will use target reference to distinguish between different versions or branches of our elasticsearch project
to be able to trace vulnerable dependencies down to the version.

snyk lifecycle property allows filtering the project overview by `production` or `development`. When version
is ending with SNAPSHOT we configure the lifecycle as development. Otherwise its production.

Related to elastic#87620
  • Loading branch information
@breskeby
breskeby authored Jun 30, 2022
1 parent d3f74ca commit d5a60f2
Show file tree
Hide file tree
Showing 3 changed files with 50 additions and 17 deletions.
25 changes: 18 additions & 7 deletions ...rg/elasticsearch/gradle/internal/snyk/SnykDependencyMonitoringGradlePluginFuncTest.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ class SnykDependencyMonitoringGradlePluginFuncTest extends AbstractGradleInterna
given:
buildFile << """
apply plugin:'java'
version = "1.0-SNAPSHOT"
version = "$version"
repositories {
mavenCentral()
Expand All @@ -45,7 +45,7 @@ class SnykDependencyMonitoringGradlePluginFuncTest extends AbstractGradleInterna
def build = gradleRunner("generateSnykDependencyGraph").build()
then:
build.task(":generateSnykDependencyGraph").outcome == TaskOutcome.SUCCESS
JSONAssert.assertEquals(file( "build/snyk/dependencies.json").text, """{
JSONAssert.assertEquals(file("build/snyk/dependencies.json").text, """{
"meta": {
"method": "custom gradle",
"id": "gradle",
Expand All @@ -71,7 +71,7 @@ class SnykDependencyMonitoringGradlePluginFuncTest extends AbstractGradleInterna
"nodeId": "org.apache.lucene:lucene-monitor@9.2.0"
}
],
"pkgId": "hello-world@1.0-SNAPSHOT"
"pkgId": "hello-world@$version"
},
{
"nodeId": "org.apache.lucene:lucene-monitor@9.2.0",
Expand Down Expand Up @@ -117,10 +117,10 @@ class SnykDependencyMonitoringGradlePluginFuncTest extends AbstractGradleInterna
},
"pkgs": [
{
"id": "hello-world@1.0-SNAPSHOT",
"id": "hello-world@$version",
"info": {
"name": "hello-world",
"version": "1.0-SNAPSHOT"
"version": "$version"
}
},
{
Expand Down Expand Up @@ -156,8 +156,19 @@ class SnykDependencyMonitoringGradlePluginFuncTest extends AbstractGradleInterna
"target": {
"remoteUrl": "http://github.com/elastic/elasticsearch.git",
"branch": "unknown"
},
"targetReference": "$version",
"projectAttributes": {
"lifecycle": [
"$expectedLifecycle"
]
}
}""", true)

where:
version | expectedLifecycle
'1.0-SNAPSHOT' | 'development'
'1.0' | 'production'
}

def "upload fails with reasonable error message"() {
Expand All @@ -167,7 +178,7 @@ class SnykDependencyMonitoringGradlePluginFuncTest extends AbstractGradleInterna
"""
when:
def result = withWireMock(PUT, "/api/v1/monitor/gradle/graph", "OK", HTTP_CREATED) { server ->
buildFile << """
buildFile << """
tasks.named('uploadSnykDependencyGraph').configure {
getUrl().set('${server.baseUrl()}/api/v1/monitor/gradle/graph')
getToken().set("myToken")
Expand All @@ -181,7 +192,7 @@ class SnykDependencyMonitoringGradlePluginFuncTest extends AbstractGradleInterna

when:
result = withWireMock(PUT, GRADLE_GRAPH_ENDPOINT, "Internal Error", HTTP_INTERNAL_ERROR) { server ->
buildFile << """
buildFile << """
tasks.named('uploadSnykDependencyGraph').configure {
getUrl().set('${server.baseUrl()}/api/v1/monitor/gradle/graph')
}
Expand Down
37 changes: 28 additions & 9 deletions ...nal/src/main/java/org/elasticsearch/gradle/internal/snyk/GenerateSnykDependencyGraph.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,11 +22,11 @@
import org.gradle.api.tasks.InputFiles;
import org.gradle.api.tasks.OutputFile;
import org.gradle.api.tasks.TaskAction;
import org.gradle.initialization.layout.BuildLayout;

import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.StandardOpenOption;
import java.util.List;
import java.util.Map;
import java.util.Set;

Expand All @@ -51,22 +51,22 @@ public class GenerateSnykDependencyGraph extends DefaultTask {
true
);
private final Property<Configuration> configuration;
private final Property<String> gradleVersion;
private final RegularFileProperty outputFile;
private final Property<String> projectName;
private final Property<String> projectPath;
private final Property<String> targetReference;
private final Property<String> version;
private final Property<String> gradleVersion;
private final RegularFileProperty outputFile;
private final BuildLayout buildLayout;

@Inject
public GenerateSnykDependencyGraph(ObjectFactory objectFactory, BuildLayout buildLayout) {
public GenerateSnykDependencyGraph(ObjectFactory objectFactory) {
configuration = objectFactory.property(Configuration.class);
gradleVersion = objectFactory.property(String.class);
outputFile = objectFactory.fileProperty();
projectName = objectFactory.property(String.class);
projectPath = objectFactory.property(String.class);
version = objectFactory.property(String.class);
gradleVersion = objectFactory.property(String.class);
outputFile = objectFactory.fileProperty();
this.buildLayout = buildLayout;
targetReference = objectFactory.property(String.class);
}

@TaskAction
Expand Down Expand Up @@ -96,7 +96,22 @@ private Map<String, Object> generateGradleGraphPayload() {
version.get(),
firstLevelModuleDependencies
);
return Map.of("meta", FIXED_META_DATA, "depGraphJSON", builder.build(), "target", buildTargetData());
return Map.of(
"meta",
FIXED_META_DATA,
"depGraphJSON",
builder.build(),
"target",
buildTargetData(),
"targetReference",
targetReference.get(),
"projectAttributes",
projectAttributesData()
);
}

private Map<String, List<String>> projectAttributesData() {
return Map.of("lifecycle", List.of(version.map(v -> v.endsWith("SNAPSHOT") ? "development" : "production").get()));
}

private Object buildTargetData() {
Expand Down Expand Up @@ -133,4 +148,8 @@ public Property<String> getGradleVersion() {
return gradleVersion;
}

@Input
public Property<String> getTargetReference() {
return targetReference;
}
}
5 changes: 4 additions & 1 deletion ...ain/java/org/elasticsearch/gradle/internal/snyk/SnykDependencyMonitoringGradlePlugin.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,11 @@ public void apply(Project project) {
.register("generateSnykDependencyGraph", GenerateSnykDependencyGraph.class, generateSnykDependencyGraph -> {
generateSnykDependencyGraph.getProjectPath().set(project.getPath());
generateSnykDependencyGraph.getProjectName().set(project.getName());
generateSnykDependencyGraph.getVersion().set(project.getVersion().toString());
String projectVersion = project.getVersion().toString();
generateSnykDependencyGraph.getVersion().set(projectVersion);
generateSnykDependencyGraph.getGradleVersion().set(project.getGradle().getGradleVersion());
generateSnykDependencyGraph.getTargetReference()
.set(providerFactory.gradleProperty("snykTargetReference").orElse(projectVersion));
generateSnykDependencyGraph.getOutputFile().set(projectLayout.getBuildDirectory().file("snyk/dependencies.json"));
});

Expand Down

0 comments on commit d5a60f2

Please sign in to comment.