Gradle create fix pull request

packagehandlers/commonpackagehandler.go

@@ -32,6 +32,8 @@ func GetCompatiblePackageHandler(vulnDetails *utils.VulnerabilityDetails, detail
 		handler = &MavenPackageHandler{depsRepo: details.DepsRepo, ServerDetails: details.ServerDetails}
 	case coreutils.Nuget:
 		handler = &NugetPackageHandler{}
+	case coreutils.Gradle:
+		handler = &GradlePackageHandler{}
 	default:
 		handler = &UnsupportedPackageHandler{}
 	}

packagehandlers/gradlepackagehandler.go

@@ -0,0 +1,164 @@
+package packagehandlers
+
+import (
+	"fmt"
+	"github.com/jfrog/frogbot/utils"
+	"github.com/jfrog/jfrog-client-go/utils/errorutils"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strings"
+)
+
+const (
+	groovyBuildFileSuffix         = "build.gradle"
+	kotlinBuildFileSuffix         = "build.gradle.kts"
+	apostrophes                   = "[\\\"|\\']"
+	directMapRegexpEntry          = "\\s*%s\\s*[:|=]\\s*"
+	directStringWithVersionFormat = "%s:%s:%s"
+)
+
+var directMapWithVersionRegexp string
+
+func init() {
+	// Initializing a regexp pattern for map dependencies
+	// Example: group: "junit", name: "junit", version: "1.0.0" | group = "junit", name = "junit", version = "1.0.0"
+	groupEntry := getMapRegexpEntry("group")
+	nameEntry := getMapRegexpEntry("name")
+	versionEntry := getMapRegexpEntry("version")
+	directMapWithVersionRegexp = groupEntry + "," + nameEntry + "," + versionEntry
+}
+
+type GradlePackageHandler struct {
+	CommonPackageHandler
+}
+
+func (gph *GradlePackageHandler) UpdateDependency(vulnDetails *utils.VulnerabilityDetails) error {
+	if vulnDetails.IsDirectDependency {
+		return gph.updateDirectDependency(vulnDetails)
+	}
+
+	return &utils.ErrUnsupportedFix{
+		PackageName:  vulnDetails.ImpactedDependencyName,
+		FixedVersion: vulnDetails.SuggestedFixedVersion,
+		ErrorType:    utils.IndirectDependencyFixNotSupported,
+	}
+}
+
+func (gph *GradlePackageHandler) updateDirectDependency(vulnDetails *utils.VulnerabilityDetails) (err error) {
+	if !isVersionSupportedForFix(vulnDetails.ImpactedDependencyVersion) {
+		return &utils.ErrUnsupportedFix{
+			PackageName:  vulnDetails.ImpactedDependencyName,
+			FixedVersion: vulnDetails.SuggestedFixedVersion,
+			ErrorType:    utils.UnsupportedForFixVulnerableVersion,
+		}
+	}
+
+	// A gradle project may contain several descriptor files in several sub-modules. Each vulnerability may be found in each of the descriptor files.
+	// Therefore we iterate over every descriptor file for each vulnerability and try to find and fix it.
+	descriptorFilesPaths, err := getDescriptorFilesPaths()
+	if err != nil {
+		return
+	}
+
+	for _, descriptorFilePath := range descriptorFilesPaths {
+		err = fixVulnerabilityIfExists(descriptorFilePath, vulnDetails)
+		if err != nil {
+			return
+		}
+	}
+	return
+}
+
+// Checks if the impacted version is currently supported for fix
+func isVersionSupportedForFix(impactedVersion string) bool {
+	if strings.Contains(impactedVersion, "+") ||
+		(strings.Contains(impactedVersion, "[") || strings.Contains(impactedVersion, "(")) ||
+		strings.Contains(impactedVersion, "latest.release") {
+		return false
+	}
+	return true
+}
+
+// Collects all descriptor files absolute paths
+func getDescriptorFilesPaths() (descriptorFilesPaths []string, err error) {
+	err = filepath.WalkDir(".", func(path string, d fs.DirEntry, err error) error {
+		if err != nil {
+			return fmt.Errorf("error has occured when trying to access or traverse the files system: %s", err.Error())
+		}
+
+		if d.Type().IsRegular() && (strings.HasSuffix(path, groovyBuildFileSuffix) || strings.HasSuffix(path, kotlinBuildFileSuffix)) {
+			absFilePath, innerErr := filepath.Abs(path)
+			if innerErr != nil {
+				return fmt.Errorf("couldn't retrieve file's absolute path for './%s':%s", path, innerErr.Error())
+			}
+			descriptorFilesPaths = append(descriptorFilesPaths, absFilePath)
+		}
+		return nil
+	})
+	return
+}
+
+// Fixes all direct occurrences (string/map) of the given vulnerability in the given descriptor file if vulnerability occurs
+func fixVulnerabilityIfExists(descriptorFilePath string, vulnDetails *utils.VulnerabilityDetails) (err error) {
+	byteFileContent, err := os.ReadFile(descriptorFilePath)
+	if err != nil {
+		err = fmt.Errorf("couldn't read file '%s': %s", descriptorFilePath, err.Error())
+		return
+	}
+	fileContent := string(byteFileContent)
+
+	depGroup, depName, err := getVulnerabilityGroupAndName(vulnDetails.ImpactedDependencyName)
+	if err != nil {
+		return
+	}
+
+	// Fixing all vulnerable rows in string format
+	directStringVulnerableRow := fmt.Sprintf(directStringWithVersionFormat, depGroup, depName, vulnDetails.ImpactedDependencyVersion)
+	directStringFixedRow := fmt.Sprintf(directStringWithVersionFormat, depGroup, depName, vulnDetails.SuggestedFixedVersion)
+	fileContent = strings.ReplaceAll(fileContent, directStringVulnerableRow, directStringFixedRow)
+
+	// Fixing all vulnerable rows in a map format
+	mapRegexpForVulnerability := fmt.Sprintf(directMapWithVersionRegexp, depGroup, depName, vulnDetails.ImpactedDependencyVersion)
+	regexpCompiler := regexp.MustCompile(mapRegexpForVulnerability)
+	if rowsMatches := regexpCompiler.FindAllString(fileContent, -1); rowsMatches != nil {
+		for _, entry := range rowsMatches {
+			fixedRow := strings.Replace(entry, vulnDetails.ImpactedDependencyVersion, vulnDetails.SuggestedFixedVersion, 1)
+			fileContent = strings.ReplaceAll(fileContent, entry, fixedRow)
+		}
+	}
+
+	err = writeUpdatedBuildFile(descriptorFilePath, fileContent)
+	return
+}
+
+// Returns separated 'group' and 'name' for a given vulnerability name
+func getVulnerabilityGroupAndName(impactedDependencyName string) (depGroup string, depName string, err error) {
+	seperatedImpactedDepName := strings.Split(impactedDependencyName, ":")
+	if len(seperatedImpactedDepName) != 2 {
+		err = errorutils.CheckErrorf("unable to parse impacted dependency name '%s'", impactedDependencyName)
+		return
+	}
+	return seperatedImpactedDepName[0], seperatedImpactedDepName[1], err
+}
+
+func getMapRegexpEntry(mapEntry string) string {
+	return fmt.Sprintf(directMapRegexpEntry, mapEntry) + apostrophes + "%s" + apostrophes
+}
+
+// Writes the updated content of the descriptor's file into the file
+func writeUpdatedBuildFile(filePath string, fileContent string) (err error) {
+	fileInfo, err := os.Stat(filePath)
+	if err != nil {
+		err = fmt.Errorf("couldn't get file info for file '%s': %s", filePath, err.Error())
+		return
+	}
+	filePerm := fileInfo.Mode()
+
+	err = os.WriteFile(filePath, []byte(fileContent), filePerm)
+	if err != nil {
+		err = fmt.Errorf("couldn't write fixes to file '%s': %q", filePath, err)
+	}
+	return
+}

packagehandlers/packagehandlers_test.go

@@ -4,10 +4,12 @@ import (
 	"fmt"
 	testdatautils "github.com/jfrog/build-info-go/build/testdata"
 	biutils "github.com/jfrog/build-info-go/utils"
+	fileutils "github.com/jfrog/build-info-go/utils"
 	"github.com/jfrog/frogbot/utils"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
 	"github.com/jfrog/jfrog-cli-core/v2/xray/formats"
 	"github.com/stretchr/testify/assert"
+	"math"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -218,6 +220,50 @@ func TestUpdateDependency(t *testing.T) {
 				fixSupported: true,
 			},
 		},
+
+		// Gradle test cases
+		{
+			{
+				vulnDetails: &utils.VulnerabilityDetails{
+					SuggestedFixedVersion:       "4.13.1",
+					IsDirectDependency:          false,
+					VulnerabilityOrViolationRow: formats.VulnerabilityOrViolationRow{Technology: coreutils.Gradle, ImpactedDependencyDetails: formats.ImpactedDependencyDetails{ImpactedDependencyName: "commons-collections:commons-collections", ImpactedDependencyVersion: "3.2"}},
+				},
+				fixSupported: false,
+			},
+			{ // Unsupported fix: dynamic version
+				vulnDetails: &utils.VulnerabilityDetails{
+					SuggestedFixedVersion:       "3.2.2",
+					IsDirectDependency:          true,
+					VulnerabilityOrViolationRow: formats.VulnerabilityOrViolationRow{Technology: coreutils.Gradle, ImpactedDependencyDetails: formats.ImpactedDependencyDetails{ImpactedDependencyName: "commons-collections:commons-collections", ImpactedDependencyVersion: "3.+"}},
+				},
+				fixSupported: false,
+			},
+			{ // Unsupported fix: latest version
+				vulnDetails: &utils.VulnerabilityDetails{
+					SuggestedFixedVersion:       "3.2.2",
+					IsDirectDependency:          true,
+					VulnerabilityOrViolationRow: formats.VulnerabilityOrViolationRow{Technology: coreutils.Gradle, ImpactedDependencyDetails: formats.ImpactedDependencyDetails{ImpactedDependencyName: "commons-collections:commons-collections", ImpactedDependencyVersion: "latest.release"}},
+				},
+				fixSupported: false,
+			},
+			{ // Unsupported fix: range version
+				vulnDetails: &utils.VulnerabilityDetails{
+					SuggestedFixedVersion:       "3.2.2",
+					IsDirectDependency:          true,
+					VulnerabilityOrViolationRow: formats.VulnerabilityOrViolationRow{Technology: coreutils.Gradle, ImpactedDependencyDetails: formats.ImpactedDependencyDetails{ImpactedDependencyName: "commons-collections:commons-collections", ImpactedDependencyVersion: "[3.0, 3.5.6)"}},
+				},
+				fixSupported: false,
+			},
+			{
+				vulnDetails: &utils.VulnerabilityDetails{
+					SuggestedFixedVersion:       "4.13.1",
+					IsDirectDependency:          true,
+					VulnerabilityOrViolationRow: formats.VulnerabilityOrViolationRow{Technology: coreutils.Gradle, ImpactedDependencyDetails: formats.ImpactedDependencyDetails{ImpactedDependencyName: "junit:junit", ImpactedDependencyVersion: "4.7"}},
+				},
+				fixSupported: true,
+			},
+		},
 	}
 
 	for _, testBatch := range testCases {
@@ -568,6 +614,8 @@ func uniquePackageManagerChecks(t *testing.T, test dependencyFixTest) {
 	case coreutils.Go:
 		packageDescriptor := extraArgs[0]
 		assertFixVersionInPackageDescriptor(t, test, packageDescriptor)
+	case coreutils.Gradle:
+		checkVulnVersionFixInBuildFile(t, test)
 	default:
 	}
 }
@@ -598,3 +646,117 @@ func TestGetFixedPackage(t *testing.T) {
 		assert.Equal(t, test.expectedOutput, fixedPackageArgs)
 	}
 }
+
+func checkVulnVersionFixInBuildFile(t *testing.T, testcase dependencyFixTest) {
+	depGroup, depName, err := getVulnerabilityGroupAndName(testcase.vulnDetails.ImpactedDependencyName)
+	assert.NoError(t, err)
+
+	stringPatternForVulnerability := fmt.Sprintf(directStringWithVersionFormat, depGroup, depName, testcase.vulnDetails.ImpactedDependencyVersion)
+	mapRegexpForVulnerability := fmt.Sprintf(directMapWithVersionRegexp, depGroup, depName, testcase.vulnDetails.ImpactedDependencyVersion)
+	mapRegexpCompiler := regexp.MustCompile(mapRegexpForVulnerability)
+
+	descriptorFilesPaths, err := getDescriptorFilesPaths()
+	assert.NoError(t, err)
+
+	for _, filePath := range descriptorFilesPaths {
+		fileContent, readErr := os.ReadFile(filePath)
+		assert.NoError(t, readErr)
+
+		// Checking there is no unfixed rows in a string format
+		assert.NotContains(t, fileContent, stringPatternForVulnerability)
+
+		// Checking there is no unfixed rows in a map format
+		rowsMatches := mapRegexpCompiler.FindAllString(string(fileContent), -1)
+		assert.Empty(t, rowsMatches)
+	}
+}
+
+func TestGradleGetDescriptorFilesPaths(t *testing.T) {
+	currDir, err := os.Getwd()
+	assert.NoError(t, err)
+	tmpDir, err := os.MkdirTemp("", "")
+	assert.NoError(t, err)
+	assert.NoError(t, biutils.CopyDir(filepath.Join("..", "testdata", "projects", "gradle"), tmpDir, true, nil))
+	assert.NoError(t, os.Chdir(tmpDir))
+	defer func() {
+		assert.NoError(t, os.Chdir(currDir))
+	}()
+	finalPath, err := os.Getwd()
+	assert.NoError(t, err)
+
+	expectedResults := []string{filepath.Join(finalPath, "build.gradle"), filepath.Join(finalPath, "innerProjectForTest", "build.gradle.kts")}
+
+	buildFilesPaths, err := getDescriptorFilesPaths()
+	assert.NoError(t, err)
+	assert.ElementsMatch(t, expectedResults, buildFilesPaths)
+}
+
+func TestGradleFixVulnerabilityIfExists(t *testing.T) {
+	currDir, err := os.Getwd()
+	assert.NoError(t, err)
+
+	tmpDir, err := os.MkdirTemp("", "")
+	assert.NoError(t, err)
+	assert.NoError(t, biutils.CopyDir(filepath.Join("..", "testdata", "projects", "gradle", "innerProjectForTest"), tmpDir, true, nil))
+	assert.NoError(t, os.Chdir(tmpDir))
+	defer func() {
+		assert.NoError(t, os.Chdir(currDir))
+	}()
+
+	buildFiles, err := getDescriptorFilesPaths()
+	assert.NoError(t, err)
+
+	err = fixVulnerabilityIfExists(buildFiles[0], &utils.VulnerabilityDetails{
+		SuggestedFixedVersion:       "4.13.1",
+		IsDirectDependency:          true,
+		VulnerabilityOrViolationRow: formats.VulnerabilityOrViolationRow{Technology: coreutils.Gradle, ImpactedDependencyDetails: formats.ImpactedDependencyDetails{ImpactedDependencyName: "junit:junit", ImpactedDependencyVersion: "4.7"}}})
+
+	assert.NoError(t, err)
+
+	finalPath, err := os.Getwd()
+	assert.NoError(t, err)
+
+	expectedFileContent, err := fileutils.ReadNLines(filepath.Join(finalPath, "fixedBuildGradleKtsForCompare.txt"), math.MaxInt)
+	assert.NoError(t, err)
+
+	fixedFileContent, err := fileutils.ReadNLines(filepath.Join(finalPath, "build.gradle.kts"), math.MaxInt)
+	assert.NoError(t, err)
+
+	assert.ElementsMatch(t, expectedFileContent, fixedFileContent)
+}
+
+func TestGradleIsVersionSupportedForFix(t *testing.T) {
+	var testcases = []struct {
+		impactedVersion string
+		expectedResult  bool
+	}{
+		{
+			impactedVersion: "10.+",
+			expectedResult:  false,
+		},
+		{
+			impactedVersion: "[10.3, 11.0)",
+			expectedResult:  false,
+		},
+		{
+			impactedVersion: "(10.4.2, 11.7.8)",
+			expectedResult:  false,
+		},
+		{
+			impactedVersion: "latest.release",
+			expectedResult:  false,
+		},
+		{
+			impactedVersion: "5.5",
+			expectedResult:  true,
+		},
+		{
+			impactedVersion: "9.0.13-beta",
+			expectedResult:  true,
+		},
+	}
+
+	for _, testcase := range testcases {
+		assert.Equal(t, testcase.expectedResult, isVersionSupportedForFix(testcase.impactedVersion))
+	}
+}