gradle: exclude constraints when retrieving dependencies #1563

jagonalez · 2025-07-21T23:14:17Z

Overview

This PR excludes constraints when retrieving dependencies.

One of the API calls we use for retrieving Gradle dependencies also includes "constraints", which get treated as a direct dependency. After reviewing the gradle GitHub issues it seems this used to affect gradle dependencies but they filtered out the constraint dependencies. Any dependencies (direct or transitive) are still reported without issues.

Constraints guide: https://docs.gradle.org/current/userguide/dependency_constraints.html

I did not include tests since the change is specifically to the jsondeps.gradle file and we don't have any testing setup for it. I manually tested the changes, see below

Acceptance criteria

dependency constraints are not reported as direct dependencies
direct & transitive dependencies which are constrained are still reported

Testing plan

Use this Gradle.build file:

plugins {
    id('java-platform')
}

group = 'com.example.platform'

// allow the definition of dependencies to other platforms like the Spring Boot BOM
javaPlatform.allowDependencies()

repositories {
    mavenCentral()
}

dependencies {
    api('org.springframework.boot:spring-boot-cli:3.4.7')

    constraints {
        api('org.apache.httpcomponents.client5:httpclient5:5.5')
    }
}

check out the master branch:
run gradle -I/path/to/fossa-cli/scripts/jsondeps.gradle jsonDeps
look for RESOLUTIONAPI_JSONDEPS_:_ - then I either copy & paste or use jq on the json snippet
in particular - you'll see org.apache.httpcomponents.client5:httpclient5:5.5 as a direct dependency (resolvedConfigurationDirectComponents)

^ this is no bueno

switch to this branch, run the gradle command again, and now you get:

mucho better!
and the httpclient dependency still exists:

Risks

n/a

Metrics

n/a

References

Ticket: https://fossa.atlassian.net/browse/ANE-2564

Checklist

I added tests for this PR's change (or explained in the PR description why tests don't make sense).
If this PR introduced a user-visible change, I added documentation into docs/.
If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an ## Unreleased section at the top.
If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.

… flag. (#1573) * gradle: exclude constraints when retrieving dependencies (#1563) * [ane-2575] scan all layers for os info (#1566) * scan all layers for os info * add test * lint * accidently on purposed * whitespace * typo * update changelog * no need to log * prepare for release * WIP * WIP * Get ficus wired in and at least vaguely tested. More to do to get tests to be coherent. Now we're cooking with gas: ``` Running Ficus analysis on /Users/jclemer/wam/ [DEBUG] Executing ficus [DEBUG] Ficus returned 4 errors, 0 debug messages, 1 findings [WARN] ERROR fingerprint: Read( Custom { kind: InvalidData, error: "binary file detected: /Users/jclemer/wam/.git/index", }, ) [WARN] ERROR fingerprint: Read( Custom { kind: InvalidData, error: "binary file detected: /Users/jclemer/wam/.git/objects/pack/pack-183ce412024750728f9349e31668d39ee389840e.idx", }, ) [WARN] ERROR fingerprint: Read( Custom { kind: InvalidData, error: "binary file detected: /Users/jclemer/wam/.git/objects/pack/pack-183ce412024750728f9349e31668d39ee389840e.pack", }, ) [WARN] ERROR fingerprint: Read( Custom { kind: InvalidData, error: "binary file detected: /Users/jclemer/wam/.git/objects/pack/pack-183ce412024750728f9349e31668d39ee389840e.rev", }, ) FINDING fingerprint: {"analysis_id":15} Ficus analysis completed successfully with analysis ID: 15 ``` * Fixing up formatting * [ANE-2484] Add ficus to extra-source files * Fix FICUS_ASSET_POSTFIX to match changed release * Fix Windows postfix for changed release * Change themis arch in suffix --------- Co-authored-by: Jeremy Gonzalez <jeremy@fossa.com>

* [ANE-2484] Download ficus in vendor_download.sh * [ANE-2484] Listen to shellcheck's wisdom * [ANE-2484][ANE-2503] Actually call Ficus, use `--x-snippet-scan` as a flag. (#1573) * gradle: exclude constraints when retrieving dependencies (#1563) * [ane-2575] scan all layers for os info (#1566) * scan all layers for os info * add test * lint * accidently on purposed * whitespace * typo * update changelog * no need to log * prepare for release * WIP * WIP * Get ficus wired in and at least vaguely tested. More to do to get tests to be coherent. Now we're cooking with gas: ``` Running Ficus analysis on /Users/jclemer/wam/ [DEBUG] Executing ficus [DEBUG] Ficus returned 4 errors, 0 debug messages, 1 findings [WARN] ERROR fingerprint: Read( Custom { kind: InvalidData, error: "binary file detected: /Users/jclemer/wam/.git/index", }, ) [WARN] ERROR fingerprint: Read( Custom { kind: InvalidData, error: "binary file detected: /Users/jclemer/wam/.git/objects/pack/pack-183ce412024750728f9349e31668d39ee389840e.idx", }, ) [WARN] ERROR fingerprint: Read( Custom { kind: InvalidData, error: "binary file detected: /Users/jclemer/wam/.git/objects/pack/pack-183ce412024750728f9349e31668d39ee389840e.pack", }, ) [WARN] ERROR fingerprint: Read( Custom { kind: InvalidData, error: "binary file detected: /Users/jclemer/wam/.git/objects/pack/pack-183ce412024750728f9349e31668d39ee389840e.rev", }, ) FINDING fingerprint: {"analysis_id":15} Ficus analysis completed successfully with analysis ID: 15 ``` * Fixing up formatting * [ANE-2484] Add ficus to extra-source files * Fix FICUS_ASSET_POSTFIX to match changed release * Fix Windows postfix for changed release * Change themis arch in suffix --------- Co-authored-by: Jeremy Gonzalez <jeremy@fossa.com> * Caveperson debug vendor_download --------- Co-authored-by: Jeremy Gonzalez <jeremy@fossa.com>

gradle: exclude constraints when retrieving dependencies

1e0c3ce

jagonalez marked this pull request as ready for review July 21, 2025 23:29

jagonalez requested a review from a team as a code owner July 21, 2025 23:29

jagonalez requested a review from jssblck July 21, 2025 23:29

jssblck approved these changes Jul 22, 2025

View reviewed changes

jagonalez merged commit 9cf32d1 into master Jul 23, 2025
19 checks passed

jagonalez deleted the jg/ane-2564 branch July 23, 2025 16:34

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

gradle: exclude constraints when retrieving dependencies #1563

gradle: exclude constraints when retrieving dependencies #1563

Uh oh!

jagonalez commented Jul 21, 2025 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

gradle: exclude constraints when retrieving dependencies #1563

gradle: exclude constraints when retrieving dependencies #1563

Uh oh!

Conversation

jagonalez commented Jul 21, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Overview

Acceptance criteria

Testing plan

Risks

Metrics

References

Checklist

Uh oh!

Uh oh!

Uh oh!

jagonalez commented Jul 21, 2025 •

edited

Loading