Parsing gradle dependencies from the output of ./gradlew dependencies task

[ajmalab]

What would you like to be added: Parse the output of the ./gradlew dependencies task to construct the sBOM

Why is this needed: Currently, the .jar artifact has to be built for Syft to be able to read the dependencies and output an sBOM. Scanning it from the output of the dependencies task would make it more efficient as we could avoid the build step.

Additional context:

[tgerla]

Hi @ajmalab, thanks for the feature request. Are you looking for Syft to invoke gradlew itself and parse the output?

We do have another issue that needs to get completed before this work could start: #1562

Alternatively, if you want to generate an SBOM yourself from the gradlew dependencies and put it in the directory that Syft scans, Syft will see it and include the contents in the resulting output.

[ajmalab]

Hey, apologies for the late reply, didn't get notified about the comment.

Yes, Syft invoking gradlew to run the dependencies task would be ideal. Currently, you'd have to build the jars manually using gradlew any way for Syft to parse any dependencies.

The linked issue #1562 seems relevant, however it makes no mention of Gradle.

[tgerla]

No problem! Yes, #1562 isn't specific to Gradle. We are using it to generally track feature requests where Syft must reach out to an external service. Thanks for the additional context!

[tgerla]

Hi @ajmalab, an update here: based on Syft's design and architecture it probably will never directly execute third party tools like gradlew. But, if as part of your build step, you could run "gradlew dependencies" and store the output in a place where Syft can find it, we could add a cataloger to Syft that recognizes that output an include the results in the SBOM. Do you think this would work for your use case? We would be happy to discuss it.

[ajmalab]

Hi! I see, that's understandable. The approach you've described is feasible too. I think this way you'd be able top populate the dependencies block of the sbom too for Gradle projects!

[spiffcs]

Closing this as not planned for right now given @tgerla's above comment - users can front run their SBOM generation with dependency commands so that syft does not need to shell out and run individual package manager commands