feat: support parsing gradle/verification-metadata.xml

google · Apr 25, 2024 · ade252f · ade252f
1 parent d75f136
commit ade252f
Show file tree

Hide file tree

Showing 13 changed files with 1,382 additions and 33 deletions.
diff --git a/docs/supported_languages_and_lockfiles.md b/docs/supported_languages_and_lockfiles.md
@@ -22,19 +22,19 @@ nav_order: 2
 
 A wide range of lockfiles are supported by utilizing this [lockfile package](https://github.com/google/osv-scanner/tree/main/pkg/lockfile).
 
-| Language   | Compatible Lockfile(s)                                                                                                   |
-| :--------- | :----------------------------------------------------------------------------------------------------------------------- |
-| C/C++      | `conan.lock`<br>[C/C++ commit scanning](#cc-scanning)                                                                    |
-| Dart       | `pubspec.lock`                                                                                                           |
-| Elixir     | `mix.lock`                                                                                                               |
-| Go         | `go.mod`                                                                                                                 |
-| Java       | `buildscript-gradle.lockfile`<br>`gradle.lockfile`<br>`pom.xml`[\*](https://github.com/google/osv-scanner/issues/35)     |
-| Javascript | `package-lock.json`<br>`pnpm-lock.yaml`<br>`yarn.lock`                                                                   |
-| PHP        | `composer.lock`                                                                                                          |
-| Python     | `Pipfile.lock`<br>`poetry.lock`<br>`requirements.txt`[\*](https://github.com/google/osv-scanner/issues/34)<br>`pdm.lock` |
-| R          | `renv.lock`                                                                                                              |
-| Ruby       | `Gemfile.lock`                                                                                                           |
-| Rust       | `Cargo.lock`                                                                                                             |
+| Language   | Compatible Lockfile(s)                                                                                                                                      |
+| :--------- |:------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| C/C++      | `conan.lock`<br>[C/C++ commit scanning](#cc-scanning)                                                                                                       |
+| Dart       | `pubspec.lock`                                                                                                                                              |
+| Elixir     | `mix.lock`                                                                                                                                                  |
+| Go         | `go.mod`                                                                                                                                                    |
+| Java       | `buildscript-gradle.lockfile`<br>`gradle.lockfile`<br>`pom.xml`[\*](https://github.com/google/osv-scanner/issues/35),<br>`gradle/verification-metadata.xml` |
+| Javascript | `package-lock.json`<br>`pnpm-lock.yaml`<br>`yarn.lock`                                                                                                      |
+| PHP        | `composer.lock`                                                                                                                                             |
+| Python     | `Pipfile.lock`<br>`poetry.lock`<br>`requirements.txt`[\*](https://github.com/google/osv-scanner/issues/34)<br>`pdm.lock`                                    |
+| R          | `renv.lock`                                                                                                                                                 |
+| Ruby       | `Gemfile.lock`                                                                                                                                              |
+| Rust       | `Cargo.lock`                                                                                                                                                |
 
 ## Alpine Package Keeper and Debian Package Keeper
 

diff --git a/pkg/lockfile/ecosystems_test.go b/pkg/lockfile/ecosystems_test.go
@@ -36,9 +36,9 @@ func TestKnownEcosystems(t *testing.T) {
 
 	// - npm, yarn, and pnpm,
 	// - pip, poetry, pdm and pipenv,
-	// - maven and gradle,
+	// - maven, gradle, and gradle/verification-metadata
 	// all use the same ecosystem so "ignore" those parsers in the count
-	expectedCount -= 6
+	expectedCount -= 7
 
 	ecosystems := lockfile.KnownEcosystems()
 

diff --git a/pkg/lockfile/extract_test.go b/pkg/lockfile/extract_test.go
@@ -33,24 +33,25 @@ func TestFindExtractor(t *testing.T) {
 	t.Parallel()
 
 	lockfiles := map[string]string{
-		"buildscript-gradle.lockfile": "gradle.lockfile",
-		"Cargo.lock":                  "Cargo.lock",
-		"composer.lock":               "composer.lock",
-		"Gemfile.lock":                "Gemfile.lock",
-		"go.mod":                      "go.mod",
-		"gradle.lockfile":             "gradle.lockfile",
-		"mix.lock":                    "mix.lock",
-		"pdm.lock":                    "pdm.lock",
-		"Pipfile.lock":                "Pipfile.lock",
-		"package-lock.json":           "package-lock.json",
-		"packages.lock.json":          "packages.lock.json",
-		"pnpm-lock.yaml":              "pnpm-lock.yaml",
-		"poetry.lock":                 "poetry.lock",
-		"pom.xml":                     "pom.xml",
-		"pubspec.lock":                "pubspec.lock",
-		"renv.lock":                   "renv.lock",
-		"requirements.txt":            "requirements.txt",
-		"yarn.lock":                   "yarn.lock",
+		"buildscript-gradle.lockfile":      "gradle.lockfile",
+		"Cargo.lock":                       "Cargo.lock",
+		"composer.lock":                    "composer.lock",
+		"Gemfile.lock":                     "Gemfile.lock",
+		"go.mod":                           "go.mod",
+		"gradle/verification-metadata.xml": "gradle/verification-metadata.xml",
+		"gradle.lockfile":                  "gradle.lockfile",
+		"mix.lock":                         "mix.lock",
+		"pdm.lock":                         "pdm.lock",
+		"Pipfile.lock":                     "Pipfile.lock",
+		"package-lock.json":                "package-lock.json",
+		"packages.lock.json":               "packages.lock.json",
+		"pnpm-lock.yaml":                   "pnpm-lock.yaml",
+		"poetry.lock":                      "poetry.lock",
+		"pom.xml":                          "pom.xml",
+		"pubspec.lock":                     "pubspec.lock",
+		"renv.lock":                        "renv.lock",
+		"requirements.txt":                 "requirements.txt",
+		"yarn.lock":                        "yarn.lock",
 	}
 
 	for file, extractAs := range lockfiles {
@@ -91,6 +92,7 @@ func TestExtractDeps_FindsExpectedExtractor(t *testing.T) {
 		"Gemfile.lock",
 		"go.mod",
 		"gradle.lockfile",
+		"gradle/verification-metadata.xml",
 		"mix.lock",
 		"pdm.lock",
 		"Pipfile.lock",