From de785be43822b32ecebfdb8c0441ef2277b6fdd0 Mon Sep 17 00:00:00 2001 From: mgroth0 Date: Thu, 5 Sep 2024 22:12:31 -0400 Subject: [PATCH] reduce usages of 'project' in task action --- .../gradle/tasks/AbstractAnalyze.groovy | 52 +++++++++---------- .../gradle/tasks/Aggregate.groovy | 2 +- .../gradle/tasks/Analyze.groovy | 6 ++- 3 files changed, 32 insertions(+), 28 deletions(-) diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy index 9665daf..f8acf5a 100644 --- a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy +++ b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy @@ -64,6 +64,16 @@ abstract class AbstractAnalyze extends ConfiguredTask { @Internal String currentProjectName = project.getName() + + /** + * Gets the projects display name. Project.getDisplayName() has been + * introduced with Gradle 3.3, thus we need to check for the method's + * existence first. Fallback: use project NAME + * @return the display name + */ + @Internal + String currentProjectDisplayName = project.metaClass.respondsTo(project, "getDisplayName") ? project.getDisplayName() : project.getName() + @Internal Attribute artifactType = Attribute.of('artifactType', String) // @Internal @@ -111,11 +121,11 @@ abstract class AbstractAnalyze extends ConfiguredTask { logger.lifecycle("Generating report for project ${currentProjectName}") try { - String name = project.getName() - String displayName = determineDisplayName() + String name = currentProjectName + String displayName = currentProjectDisplayName String groupId = project.getGroup() String version = project.getVersion().toString() - File output = project.file(config.outputDirectory) + File output = new File(config.outputDirectory) for (String f : getReportFormats(config.format, config.formats)) { engine.writeReports(displayName, groupId, name, version, output, f, exCol) } @@ -145,15 +155,6 @@ abstract class AbstractAnalyze extends ConfiguredTask { } } - /** - * Gets the projects display name. Project.getDisplayName() has been - * introduced with Gradle 3.3, thus we need to check for the method's - * existence first. Fallback: use project NAME - * @return the display name - */ - String determineDisplayName() { - return project.metaClass.respondsTo(project, "getDisplayName") ? project.getDisplayName() : project.getName() - } /** * Verifies aspects of the configuration to ensure dependency-check can run correctly. */ @@ -232,7 +233,7 @@ abstract class AbstractAnalyze extends ConfiguredTask { logger.warn("Found ${vulnerabilities.size()} vulnerabilities in project ${currentProjectName}") if (config.showSummary) { - DependencyCheckScanAgent.showSummary(project.name, engine.getDependencies()); + DependencyCheckScanAgent.showSummary(currentProjectName, engine.getDependencies()); } } @@ -301,8 +302,8 @@ abstract class AbstractAnalyze extends ConfiguredTask { * project's path. */ @groovy.transform.CompileStatic - def shouldBeScanned(Project project) { - !config.scanProjects || config.scanProjects.contains(project.path) + def shouldBeScanned(String projectPath) { + !config.scanProjects || config.scanProjects.contains(projectPath) } /** @@ -310,8 +311,8 @@ abstract class AbstractAnalyze extends ConfiguredTask { * because skipProjects contains the project's path. */ @groovy.transform.CompileStatic - def shouldBeSkipped(Project project) { - config.skipProjects.contains(project.path) + def shouldBeSkipped(String projectPath) { + config.skipProjects.contains(projectPath) } /** @@ -415,7 +416,7 @@ abstract class AbstractAnalyze extends ConfiguredTask { if (CUTOVER_GRADLE_VERSION.compareTo(GradleVersion.current()) > 0) { processConfigLegacy configuration, engine } else { - processConfigV4 project, configuration, engine, true + processConfigV4 project.name, configuration, engine, true } } } @@ -434,7 +435,7 @@ abstract class AbstractAnalyze extends ConfiguredTask { if (CUTOVER_GRADLE_VERSION.compareTo(GradleVersion.current()) > 0) { processConfigLegacy configuration, engine } else { - processConfigV4 project, configuration, engine + processConfigV4 currentProjectName, configuration, engine } } if (config.scanSet == null) { @@ -443,18 +444,18 @@ abstract class AbstractAnalyze extends ConfiguredTask { './npm-shrinkwrap.json', './yarn.lock', './pnpm.lock', 'pnpm-lock.yaml', './Gopkg.lock', './go.mod'] toScan.each { - File f = project.file it + File f = new File(it) if (f.exists()) { - engine.scan(f, project.name) + engine.scan(f, currentProjectName) } } } else { config.scanSet.each { - File f = project.file it + File f = it if (f.exists()) { - engine.scan(f, project.name) + engine.scan(f, currentProjectName) } else { - logger.warn("ScanSet file `${f}` does not exist in ${project.name}") + logger.warn("ScanSet file `${f}` does not exist in ${currentProjectName}") } } } @@ -550,8 +551,7 @@ abstract class AbstractAnalyze extends ConfiguredTask { * @param engine the dependency-check engine * @param scanningBuildEnv true if scanning the build environment; otherwise false */ - protected void processConfigV4(Project project, Configuration configuration, Engine engine, boolean scanningBuildEnv = false) { - String projectName = project.name + protected void processConfigV4(String projectName, Configuration configuration, Engine engine, boolean scanningBuildEnv = false) { String scope = "$projectName:$configuration.name" if (scanningBuildEnv) { scope += " (buildEnv)" diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Aggregate.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Aggregate.groovy index 5691080..96877c6 100644 --- a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Aggregate.groovy +++ b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Aggregate.groovy @@ -51,7 +51,7 @@ class Aggregate extends AbstractAnalyze { private def scanProject(Set projects, Engine engine) { projects.each { Project project -> - if (shouldBeScanned(project) && !shouldBeSkipped(project)) { + if (shouldBeScanned(project.path) && !shouldBeSkipped(project.path)) { if (this.config.scanDependencies) { processConfigurations(project, engine) } diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Analyze.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Analyze.groovy index b4645be..c1d2d4a 100644 --- a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Analyze.groovy +++ b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Analyze.groovy @@ -18,6 +18,7 @@ package org.owasp.dependencycheck.gradle.tasks +import org.gradle.api.tasks.Internal import org.owasp.dependencycheck.Engine /** @@ -26,6 +27,9 @@ import org.owasp.dependencycheck.Engine @groovy.transform.CompileStatic class Analyze extends AbstractAnalyze { + @Internal + String currentProjectPath = project.path + Analyze() { group = 'OWASP dependency-check' description = 'Identifies and reports known vulnerabilities (CVEs) in project dependencies.' @@ -39,7 +43,7 @@ class Analyze extends AbstractAnalyze { * Loads the projects dependencies into the dependency-check analysis engine. */ def scanDependencies(Engine engine) { - if (shouldBeScanned(project) && !shouldBeSkipped(project)) { + if (shouldBeScanned(currentProjectPath) && !shouldBeSkipped(currentProjectPath)) { logger.lifecycle("Verifying dependencies for project ${currentProjectName}") if (this.config.scanDependencies) { processConfigurations(project, engine)