From 53580bb1b09093354225bdd6cd444697d40dadae Mon Sep 17 00:00:00 2001
From: Charles Coggins <maxrake@users.noreply.github.com>
Date: Tue, 10 Dec 2024 15:46:44 -0600
Subject: [PATCH 1/2] Fix Windows Gradle manifests incorrectly retained

This change fixes a bug that is specific to Windows systems. When legacy
Gradle (prior to v7.0.0) lockfiles exist (e.g.,
`gradle/dependency-locks/*.lockfile`) along with a manifest at a higher
level, the manifest is meant to be ignored when finding dependency files
to analyze. However, on Windows systems this was not the case before
this change. Instead, both the manifest and the lockfiles were retained.
After this change, only the lockfiles are retained when both are
present.

A failing test was added first to confirm the incorrect behavior. Then,
a change was made to handle paths as `Path` objects instead of strings.
That way, the generic `/` path separator character will be used
correctly regardless of the runtime system.

Additionally, an error message was updated to reflect the correct
dependency file language for Gradle parsing errors.
---
 CHANGELOG.md         |  4 ++++
 lockfile/src/java.rs |  2 +-
 lockfile/src/lib.rs  | 41 +++++++++++++++++++++++++++++++++++++++--
 3 files changed, 44 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f355a3c07..feca17c2c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Support for C#'s `packages.*.config` lockfile type
 - `phylum firewall log` command to browse firewall activity log
 
+### Fixed
+
+- Gradle manifests used on Windows when legacy lockfiles exist
+
 ## 7.1.5 - 2024-11-26
 
 ### Fixed
diff --git a/lockfile/src/java.rs b/lockfile/src/java.rs
index d0ad241e0..4f5a9fa0a 100644
--- a/lockfile/src/java.rs
+++ b/lockfile/src/java.rs
@@ -26,7 +26,7 @@ impl Parse for GradleLock {
         let (_, entries) = gradle_dep::parse(data)
             .finish()
             .map_err(|e| anyhow!(convert_error(data, e)))
-            .context("Failed to parse requirements file")?;
+            .context("Failed to parse gradle lockfile")?;
         Ok(entries)
     }
 
diff --git a/lockfile/src/lib.rs b/lockfile/src/lib.rs
index 7b9878fa4..ea2715329 100644
--- a/lockfile/src/lib.rs
+++ b/lockfile/src/lib.rs
@@ -372,9 +372,8 @@ pub fn find_depfiles_at(root: impl AsRef<Path>) -> Vec<(PathBuf, LockfileFormat)
             // Legacy Gradle (before v7) lockfiles are in a subdirectory,
             // so we truncate these directories to get the effective
             // directory these lockfiles were created for.
-            let dir_str = lockfile_dir.to_string_lossy();
             if lockfile_format == &LockfileFormat::Gradle
-                && dir_str.ends_with("/gradle/dependency-locks")
+                && lockfile_dir.ends_with("gradle/dependency-locks")
             {
                 lockfile_dir = lockfile_dir.parent().unwrap().parent().unwrap();
             }
@@ -764,4 +763,42 @@ mod tests {
         let expected = vec![(tempdir.path().join("go.mod"), LockfileFormat::GoMod)];
         assert_eq!(lockable_files, expected);
     }
+
+    #[test]
+    fn skip_build_gradle_with_legacy_lockfiles() {
+        // Create desired directory structure.
+        let tempdir = tempfile::tempdir().unwrap();
+        let files = [
+            tempdir.path().join("build.gradle"),
+            tempdir.path().join("gradle/dependency-locks/compile.lockfile"),
+            tempdir.path().join("gradle/dependency-locks/default.lockfile"),
+            tempdir.path().join("gradle/dependency-locks/runtime.lockfile"),
+        ];
+        for file in &files {
+            let dir = file.parent().unwrap();
+            fs::create_dir_all(dir).unwrap();
+            File::create(file).unwrap();
+        }
+
+        // Find lockfiles.
+        let mut lockfiles = find_depfiles_at(tempdir.path());
+
+        // Compare results.
+        lockfiles.sort_unstable();
+        let expected = vec![
+            (
+                tempdir.path().join("gradle/dependency-locks/compile.lockfile"),
+                LockfileFormat::Gradle,
+            ),
+            (
+                tempdir.path().join("gradle/dependency-locks/default.lockfile"),
+                LockfileFormat::Gradle,
+            ),
+            (
+                tempdir.path().join("gradle/dependency-locks/runtime.lockfile"),
+                LockfileFormat::Gradle,
+            ),
+        ];
+        assert_eq!(lockfiles, expected);
+    }
 }

From dbfdf73e775f7932104e6697edadb4a1502b677e Mon Sep 17 00:00:00 2001
From: Charles Coggins <maxrake@users.noreply.github.com>
Date: Tue, 10 Dec 2024 16:41:04 -0600
Subject: [PATCH 2/2] Update CHANGELOG entry

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index feca17c2c..44911ee6b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,7 +15,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ### Fixed
 
-- Gradle manifests used on Windows when legacy lockfiles exist
+- Gradle manifests incorrectly retained on Windows
 
 ## 7.1.5 - 2024-11-26