-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependabot scanning does not work with Gradle if private only repos defined #3236
Comments
Hey @zendern thanks for submitting this detailed issue. Can you please clarify what the expected outcome is in order to resolve this issue? |
@xlgmokha sorry about that. The expected outcome is that I should be able to get depenabot pull requests for my project that has only private repos configured. Current state is that no pull requests happen b/c all calls to check versions are trying to hit the private repos and result in 404s and dependabot (at least github version) will never have access to the private repo. |
Thanks @zendern. I appreciate the logs, this is very helpful. I want to make sure that I understand the problem before suggesting When a private registry is configured, Dependabot will attempt E.g.
When this occurs you would like Dependabot Does this capture the scenario and behaviour that you're expecting? |
@xlgmokha that describes it 100%. And I understand that in this case any private repo only dependencies dependabot will not be able to assist with. |
@xlgmokha also if I get a chance this weekend I was going to spin up a maven project with a parallel configuration as the Gradle version to validate it already has this behavior. |
New maven example added in the same repo here Split it into Updated Which now has both projects configured. Gradle still fails. Maven does what I assumed based on the code and attempts the private, fails and falls back to the maven central. Log output from the maven run here. Also you can see the PRs its opened for the maven version as well in the project.
|
Fixes dependabot#3236 By following what Maven ecosystem is doing by always adding Maven Central repo to the list.
Closing this as private repo integrations are planned per conversation in the pr cc @xlgmokha |
In case you missed it: https://github.blog/changelog/2021-03-15-dependabot-private-registry-support-public-beta/. I'd love to hear your feedback if you're able to give it a try. |
awesome!!! Thanks for the follow-up. I'll let you know if we enable it. I know poking a hole in the firewall might be a big hurdle. |
Package manager/ecosystem
Gradle
Manifest contents prior to update
Link to build.gradle
https://github.com/zendern/private-repo-dependabot-fail/blob/f75be4f5414c17c5194788ab0cf59a26c61bed95/build.gradle#L18
Link to settings.gradle
https://github.com/zendern/private-repo-dependabot-fail/blob/f75be4f5414c17c5194788ab0cf59a26c61bed95/settings.gradle#L3
Updated dependency
org.springframework.boot
2.3.9.RELEASE to 2.4.3
org.testcontainers:postgresql
1.15.1 to 1.15.2
org.projectlombok:lombok
1.18.12 to 1.18.18
See here
https://github.com/zendern/private-repo-dependabot-fail/pull/1
This was opened before i only enabled the private repo and removed maven central.
Commit to do that was here. It came about a minute after that pr 🤦
https://github.com/zendern/private-repo-dependabot-fail/commit/f75be4f5414c17c5194788ab0cf59a26c61bed95
What you expected to see, versus what you actually saw
No prs are opened. All calls 404. See logs from Insights -> Dependency Graph -> Dependabot scan results.
Images of the diff or a link to the PR, issue or logs
You should be able to fork this repo and reproduce the same issue.
https://github.com/zendern/private-repo-dependabot-fail
Other information
I believe the maven version of dependabot currently will append maven central no matter what you have defined if I'm reading this code correctly.
dependabot-core/maven/lib/dependabot/maven/file_parser/repositories_finder.rb
Lines 38 to 54 in f3239df
I think the fix might be to add the same thing here.
dependabot-core/gradle/lib/dependabot/gradle/file_parser/repositories_finder.rb
Lines 33 to 42 in f3239df
Because right now the gradle version only works if you have an artifact repo that is public defined in your setup and in my case I cannot do that. But if dependabot wants to use that and its metadata to tell me I can update that is fine with me.
I'm happy to open a PR for this please let me know.
Current workaround
For others looking at this issue. If you are on gradle 6.8 or higher you can simply start to use the following configuration and put it in settings.gradle and remove whatever you have in your build.gradle files.
This will configure where plugins are pulled and the new
dependencyResolutionManagement
(https://docs.gradle.org/current/userguide/dependency_management.html#sub:centralized-repository-declaration) allows you to say use this for all projects. The PREFER_SETTINGS flag will simply just ignore anything you put in build.gradle and use what you have in settings.gradle.It works b/c the parsing that dependabot does doesn't look at settings.gradle or that new block whatsoever and it just ends up falling back to maven central.
The text was updated successfully, but these errors were encountered: