Support Gradle Projects about dependabot-core HOT 33 CLOSED

Totally 👍 on adding this. I'm going to be off the grid for the next two weeks, but please don't take that as a lack of enthusiasm!

from dependabot-core.

As mentioned earlier by @MiniDigger there are many ways to declare your dependencies in a gradle file. If only a file scan is done on a project it would be nice to take ExtraPropertiesExtensions into account. These are mainly used to manage dependency versions across different modules.

It would for example look like:

Some other gradle file, e.g.: dependencies.gradle

ext {
    myLibraryVersion = '1.0.0'
}

Module 1 build.gradle

    implementation "com.example.dependency:$myLibraryVersion"

Module 2 build.gradle

    implementation "com.example.dependency:$myLibraryVersion"

Another thing to be aware of is that from Gradle version 3 compile is changed to implementation and api and a bunch of other configurations were added. But I can imagine this will be ignored when checking the dependency versions.

from dependabot-core.

Not yet, sorry! I'm going to be pushing on Rust and adding private repo support to Maven today, but will have a look at this immediately after. Would love to support Gradle projects, and will start a template PR in the next couple of days.

from dependabot-core.

I have no idea how the parsing works in the Backend, but looking at all the edge cases, maybe it's easier to just clone the repo and run gradle together with a special task to check dependencies?
This plugin creates a json file with all versions of all dependencies and checks if there are newer versions available https://github.com/ben-manes/gradle-versions-plugin
Just something to consider, as this would automatically support all possible ways to define dependencies as it hooks in Gradles API.

from dependabot-core.

Initial PRs created by Dependabot: https://github.com/greysteil/dependencies/pulls.

Still a long way to go on this, but it kinda works already!

from dependabot-core.

Hey team, I've just released this! If you do a hard refresh on your Dependabot dashboards you should be able to add Gradle projects (by selecting Java - Gradle as the language).

A few known deficiencies:

1. It can't handle Kotlin files yet
2. It can't do multi-module support yet. It will only operate on the build.gradle file in the repo you specify
3. It can't handle custom repositories yet (it will look for everything in the central repository
4. It doesn't do any resolution, just tries to update you to the latest (non-prerelease) version

As a result of the above I've put an alpha badge on current support. I'm planning to handle 2. and 3. in the next few days. In the meantime, the more projects you (and others) try it on the quicker I'll be able to iron out the bugs.

Thanks for all your help on this one! 🎉

from dependabot-core.

@matfax - not yet. Our Gradle support is hugely more robust than it was a month ago, though, and is now in beta.

I'll try to take a look at Kotlin support in the next few days. We ended up switching to regexes to parse Gradle build files (ugly, but easier to understand than attempting to parse Gradle from Ruby). If the Kotlin work can be done with the same approach it should be relatively straightforward.

from dependabot-core.

💯 🌈 🌟

from dependabot-core.

@greysteil You can temponarly scan repo for *.gradle files and index them.

from dependabot-core.

Yep! Really keen to, but it's going to be quite a big project for us and I don't know exactly when. It's on my list for before we can take Gradle out of beta, though.

from dependabot-core.

@greysteil Any news?

from dependabot-core.

Thanks, i'm waiting!

from dependabot-core.

@MiniDigger, OK, I'm going to get started on this this week. Any pointers on docs / a (simple) example repo that I can use as a fixture?

from dependabot-core.

I guess you could use this project, it has a bunch of dependencies
https://github.com/VoxelGamesLib/dependencies/blob/master/build.gradle
Not sure what docs could help you, this one gives a good overview
https://docs.gradle.org/current/dsl/org.gradle.api.artifacts.dsl.DependencyHandler.html

Gradle is a bit more flexible than maven, so there are countless ways to declare dependencies. For the start I would think supporting the map style ( group: 'com.google.code.guice', name: 'guice', version: '1.0') and the short ( 'commons-lang:commons-lang:2.6') notation with both single and double quotation marks in a dependencies block would be enough. Supporting multiple modules should be easy, all that's nessasary is scanning the repo for more build.gradle files (they can be anywhere, but I guess 2 level deep should be enough for most setups)

from dependabot-core.

Here is another good example as this highlights that a dependencies block doesn't need to be in the root of the file but can be nested in a buildscript or subprojects or a project('a') block.

https://github.com/MiniDigger/CryptoClicker/blob/master/build.gradle

from dependabot-core.

Here are two examples for a gradle file used in an Android project: https://github.com/Samourai-Wallet/samourai-wallet-android/blob/develop/app/build.gradle

And: https://github.com/duckduckgo/Android/blob/develop/app/build.gradle

from dependabot-core.

👍 - I've started the work over at #464.

from dependabot-core.

@greysteil Looks good so far, but I have some suggestions/bugs:

1. Can you have a look at openhab/openhab-android#886 ?
   When I try the update locally I get the following error:

Could not find com.google.firebase:firebase-core:15.0.1.
Searched in the following locations:
    file:/C:/Users/user/AppData/Local/Android/Sdk/extras/m2repository/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.pom
    file:/C:/Users/user/AppData/Local/Android/Sdk/extras/m2repository/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.jar
    file:/C:/Users/user/AppData/Local/Android/Sdk/extras/google/m2repository/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.pom
    file:/C:/Users/user/AppData/Local/Android/Sdk/extras/google/m2repository/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.jar
    file:/C:/Users/user/AppData/Local/Android/Sdk/extras/android/m2repository/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.pom
    file:/C:/Users/user/AppData/Local/Android/Sdk/extras/android/m2repository/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.jar
    https://jcenter.bintray.com/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.pom
    https://jcenter.bintray.com/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.jar
    https://dl.google.com/dl/android/maven2/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.pom
    https://dl.google.com/dl/android/maven2/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.jar
    https://jcenter.bintray.com/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.pom
    https://jcenter.bintray.com/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.jar
    https://repo.maven.apache.org/maven2/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.pom
    https://repo.maven.apache.org/maven2/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.jar
    https://jitpack.io/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.pom
    https://jitpack.io/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.jar
    https://dl.google.com/dl/android/maven2/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.pom
    https://dl.google.com/dl/android/maven2/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.jar
Required by:
    project :mobile

Google is deprecating its GCM in favor of FCM (Firebase cloud messaging). The PR is about updating the Google Maps package, but it seems to be related to this deprecation.

2. When using https://github.com/signalapp/gradle-witness for verification of dependencies, @dependabot-bot should update the corresponding hash sum. However gradle-witness doesn't support implementation for now.

3. The android support library packages should be updated in one PR, not split in multiple PRs.

    implementation "com.android.support:appcompat-v7:27.1.1"
    implementation "com.android.support:support-v4:27.1.1"
    implementation "com.android.support:recyclerview-v7:27.1.1"
    implementation "com.android.support:design:27.1.1"
    implementation 'com.android.support:multidex:1.0.3'
    implementation 'com.android.support.constraint:constraint-layout:1.0.2'

4. Here is an example by Google how to use variables to have the same version of libs in the whole project.
   https://github.com/googlecodelabs/android-testing/blob/master/build.gradle#L21
   https://github.com/googlecodelabs/android-testing/blob/master/app/build.gradle#L54
   Android projects always have these two files and they can have more, if they contain more modules.

from dependabot-core.

Thanks for the feedback @mueller-ma! Gradle support is super alpha at the moment, but I should have some time over the next couple of weeks to start improving it. I'll definitely be referring to the above when I do!

from dependabot-core.

@greysteil Can you have a look at openhab/openhab-android#958?
The build fails, because the bumped dependency cannot be found on a remote server:

A problem occurred configuring project ':mobile'.
> Could not resolve all artifacts for configuration ':mobile:classpath'.
   > Could not find com.google.gms:google-services:4.0.2.
     Searched in the following locations:
         https://maven.fabric.io/public/com/google/gms/google-services/4.0.2/google-services-4.0.2.pom
         https://maven.fabric.io/public/com/google/gms/google-services/4.0.2/google-services-4.0.2.jar
         https://repo.maven.apache.org/maven2/com/google/gms/google-services/4.0.2/google-services-4.0.2.pom
         https://repo.maven.apache.org/maven2/com/google/gms/google-services/4.0.2/google-services-4.0.2.jar
     Required by:
         project :mobile

How does @dependabot-bot know that there is a new version?

from dependabot-core.

Probably you should add google() repository to your buildscript repositories block:

buildscript {
    repositories {
        google() <-------------HERE
        maven {
            url 'https://maven.fabric.io/public'
        }
        mavenCentral()
    }
    dependencies {
        classpath 'com.google.gms:google-services:4.0.2'
        classpath 'io.fabric.tools:gradle:1.24.4'
        classpath files('libs/gradle-witness.jar')
    }
}

from dependabot-core.

@audkar Thanks for the tip, but it didn't help:

A problem occurred configuring project ':mobile'.
> Could not resolve all artifacts for configuration ':mobile:classpath'.
   > Could not find com.google.gms:google-services:4.0.2.
     Searched in the following locations:
         https://dl.google.com/dl/android/maven2/com/google/gms/google-services/4.0.2/google-services-4.0.2.pom
         https://dl.google.com/dl/android/maven2/com/google/gms/google-services/4.0.2/google-services-4.0.2.jar
         https://maven.fabric.io/public/com/google/gms/google-services/4.0.2/google-services-4.0.2.pom
         https://maven.fabric.io/public/com/google/gms/google-services/4.0.2/google-services-4.0.2.jar
         https://repo.maven.apache.org/maven2/com/google/gms/google-services/4.0.2/google-services-4.0.2.pom
         https://repo.maven.apache.org/maven2/com/google/gms/google-services/4.0.2/google-services-4.0.2.jar
     Required by:
         project :mobile

from dependabot-core.

Let me take a look into this one - I'll get back to you.

from dependabot-core.

@greysteil When bumping an annotation processor, two lines need to be changed: https://github.com/openhab/openhab-android/pull/964/files#diff-267b4136e002edb2e31e096623801166L129 and the line below.

from dependabot-core.

@greysteil @dependabot-bot must not treat checksums inside the block dependencyVerification {} as version numbers and must not bump them. dependencyVerification {} is created by https://github.com/signalapp/gradle-witness.
openhab/openhab-android#1003

from dependabot-core.

That looks like a pretty easy fix - I'll get it done now!

from dependabot-core.

Thanks. Any update on this?

from dependabot-core.

Gotta confess I accidentally let that one drop. I'm doing a push on Gradle today and tomorrow, though, and will try to get that fixed, too.

from dependabot-core.

@mueller-ma - OK, the SHA issue is fixed in this commit and the version issue is fixed here. Thanks for pointing both out!

Deploying now - I'll re-run Dependabot on your repos once done and it should close any invalid PRs.

from dependabot-core.

Is anyone working on Kotlin DSL yet?

from dependabot-core.

@greysteil Are you planning on supporting dependency locking?

https://docs.gradle.org/current/userguide/dependency_locking.html

from dependabot-core.

Hi, does the latest version support #245 (comment) ?

from dependabot-core.

Yes - should do. I'm going to close this issue now and we can deal with individual Gradle requests separately. 🎉

from dependabot-core.