Fix: Gradle Native Inspection Adds Invalid Suffix to Version in BDIO Entry #1482
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR fixes a bug where the Gradle Native Inspector was incorrectly including status suffixes like +FAILED in version strings within BDIO entries, causing GAV parsing issues.
- Strips trailing status indicators from version strings by splitting on whitespace and taking only the first part
- Ensures clean semantic versions are captured in dependency parsing
| @@ -69,7 +69,7 @@ public GradleTreeNode parseLine(String line, Map<String, String> metadata) { | |||
| } else { | |||
| String group = gav.get(0); | |||
| String name = gav.get(1); | |||
| String version = gav.get(2); | |||
| String version = gav.get(2).split("\\s")[0]; | |||
There was a problem hiding this comment.
The code assumes that splitting on whitespace will always produce at least one element, but if gav.get(2) is an empty string, split() will return an empty array and accessing index [0] will throw an IndexOutOfBoundsException. Consider using trim() first and adding a null/empty check.
| String version = gav.get(2).split("\\s")[0]; | |
| String version; | |
| if (StringUtils.isNotBlank(gav.get(2))) { | |
| version = gav.get(2).split("\\s")[0]; | |
| } else { | |
| logger.trace(String.format("The version part of GAV is empty or null: %s", line)); | |
| return GradleTreeNode.newUnknown(level); | |
| } |
Copilot uses AI. Check for mistakes.
There was a problem hiding this comment.
+1 ^
Not 100% sure due to layers, but at first glance it looks like the possibility that a version can be an empty string exists (line 127 in GradleReportLineParser). Maybe we could add a test case (or do a manual test) to confirm?
There was a problem hiding this comment.
It is highly unlikely that ./gradlew dependencies would ever return a tree with a dependency that has no version. That’s why we currently treat such lines as UNKNOWN nodes. I’ve added a test case to confirm this behavior just to be thorough.
...kduck/integration/detectable/detectables/gradle/inspection/parse/GradleReportLineParser.java
Outdated
Show resolved
Hide resolved
zahidblackduck
requested review from
andrian-sevastyanov,
shantyk and
devmehtabd
|
Would the transitives of a dependency that has +FAILED suffix be missing from the BDIO in this case? In the ticket, it looks like a +FAILED line is a leaf in any subtree that contains it. I do not recall a clear answer from the discussions/see it in the comments under IDETECT-4736. |
| @@ -69,7 +69,7 @@ public GradleTreeNode parseLine(String line, Map<String, String> metadata) { | |||
| } else { | |||
| String group = gav.get(0); | |||
| String name = gav.get(1); | |||
| String version = gav.get(2); | |||
| String version = StringUtils.substringBefore(gav.get(2), " "); | |||
There was a problem hiding this comment.
Some unit test cases would be nice.
There was a problem hiding this comment.
Added unit tests to validate the change.
Yes, you are right. If a dependency has |
JIRA Ticket
IDETECT-4736
Description:
This merge request aims to fix an issue where the Gradle Native Inspector adds a
+FAILEDsuffix to the version field in BDIO entries. This was causing incorrect GAV parsing. The version is now split on whitespace to discard any trailing status indicators likeFAILED, ensuring only the clean semantic version is captured.