Audit: Select right Java version

AUDIT-CONFIG.md

@@ -3,7 +3,7 @@
 ## Properties
 
 - **`audit`** _(object)_: Cannot contain additional properties.
-  - **`snyk`** _(object)_: Cannot contain additional properties. - **`enabled`** _(boolean)_: Enable Snyk audit. Default: `true`. - **`files-no-install`** _(array)_: Dependency files that will not be installed. Default: `[]`. - **Items** _(string)_ - **`pip-install-arguments`** _(array)_: Arguments to pass to pip install. Default: `[]`. - **Items** _(string)_ - **`pipenv-sync-arguments`** _(array)_: Arguments to pass to pipenv sync. Default: `[]`. - **Items** _(string)_ - **`poetry-install-arguments`** _(array)_: Arguments to pass to pip install. Default: `[]`. - **Items** _(string)_ - **`monitor-arguments`** _(array)_: Arguments to pass to Snyk monitor. Default: `["--all-projects"]`. - **Items** _(string)_ - **`test-arguments`** _(array)_: Arguments to pass to Snyk test. Default: `["--all-projects", "--severity-threshold=medium"]`. - **Items** _(string)_ - **`fix-arguments`** _(array)_: Arguments to pass to Snyk fix. Default: `["--all-projects"]`. - **Items** _(string)_ - **`monitor`** _(object)_: Cannot contain additional properties. - **`project-environment`** _(array)_: Set the project environment project attribute. To clear the project environment set empty array.
+  - **`snyk`** _(object)_: Cannot contain additional properties. - **`enabled`** _(boolean)_: Enable Snyk audit. Default: `true`. - **`files-no-install`** _(array)_: Dependency files that will not be installed. Default: `[]`. - **Items** _(string)_ - **`pip-install-arguments`** _(array)_: Arguments to pass to pip install. Default: `[]`. - **Items** _(string)_ - **`pipenv-sync-arguments`** _(array)_: Arguments to pass to pipenv sync. Default: `[]`. - **Items** _(string)_ - **`poetry-install-arguments`** _(array)_: Arguments to pass to pip install. Default: `[]`. - **Items** _(string)_ - **`java-path-for-gradle`** _(object)_: Path to the directory that contains Java executable to use for the Gradle minor version. Can contain additional properties. Default: `{}`. - **Additional properties** _(string)_ - **`monitor-arguments`** _(array)_: Arguments to pass to Snyk monitor. Default: `["--all-projects"]`. - **Items** _(string)_ - **`test-arguments`** _(array)_: Arguments to pass to Snyk test. Default: `["--all-projects", "--severity-threshold=medium"]`. - **Items** _(string)_ - **`fix-arguments`** _(array)_: Arguments to pass to Snyk fix. Default: `["--all-projects"]`. - **Items** _(string)_ - **`monitor`** _(object)_: Cannot contain additional properties. - **`project-environment`** _(array)_: Set the project environment project attribute. To clear the project environment set empty array.
     For more information see Project attributes https://docs.snyk.io/getting-started/introduction-to-snyk-projects/view-project-information/project-attributes. - **Items** _(string)_: Must be one of: `["frontend", "backend", "internal", "external", "mobile", "saas", "onprem", "hosted", "distributed"]`. - **`project-lifecycle`** _(array)_: Set the project lifecycle project attribute. To clear the project lifecycle set empty array.
     For more information see Project attributes https://docs.snyk.io/snyk-admin/snyk-projects/project-tags. - **Items** _(string)_: Must be one of: `["production", "development", "sandbox"]`. - **`project-business-criticality`** _(array)_: Set the project business criticality project attribute. To clear the project business criticality set empty array.
     For more information see Project attributes https://docs.snyk.io/snyk-admin/snyk-projects/project-tags. - **Items** _(string)_: Must be one of: `["critical", "high", "medium", "low"]`. - **`project-tags`** _(object)_: Set the project tags to one or more values.

Dockerfile

@@ -70,7 +70,8 @@ RUN --mount=type=cache,target=/var/lib/apt/lists \
 RUN --mount=type=cache,target=/var/lib/apt/lists \
     --mount=type=cache,target=/var/cache,sharing=locked \
     apt-get update \
-    && apt-get install --assume-yes --no-install-recommends libproj-dev pkgconf libcairo2-dev libgraphviz-dev default-jre unzip
+    && apt-get install --assume-yes --no-install-recommends libproj-dev pkgconf libcairo2-dev libgraphviz-dev unzip \
+        default-jre openjdk-11-jdk openjdk-17-jdk openjdk-21-jdk
 
 # From c2cwsgiutils
 

github_app_geo_project/module/audit/configuration.py

@@ -218,6 +218,10 @@ class DpkgConfiguration(TypedDict, total=False):
 """ Default value of the field path 'Snyk configuration files-no-install' """
 
 
+JAVA_PATH_BY_GRADLE_VERSION_DEFAULT: dict[str, Any] = {}
+""" Default value of the field path 'Snyk configuration java-path-for-gradle' """
+
+
 PIPENV_SYNC_ARGUMENTS_DEFAULT: list[Any] = []
 """ Default value of the field path 'Snyk configuration pipenv-sync-arguments' """
 
@@ -280,6 +284,13 @@ class DpkgConfiguration(TypedDict, total=False):
         # | default:
         # |   []
         "poetry-install-arguments": list[str],
+        # | Java path by Gradle version.
+        # |
+        # | Path to the directory that contains Java executable to use for the Gradle minor version
+        # |
+        # | default:
+        # |   {}
+        "java-path-for-gradle": dict[str, str],
         # | Snyk monitor arguments.
         # |
         # | Arguments to pass to Snyk monitor

github_app_geo_project/module/audit/schema.json

@@ -57,6 +57,15 @@
                 "type": "string"
               }
             },
+            "java-path-for-gradle": {
+              "type": "object",
+              "title": "Java path by Gradle version",
+              "description": "Path to the directory that contains Java executable to use for the Gradle minor version",
+              "default": {},
+              "additionalProperties": {
+                "type": "string"
+              }
+            },
             "monitor-arguments": {
               "type": "array",
               "title": "Snyk monitor arguments",

github_app_geo_project/module/audit/utils.py

@@ -41,6 +41,9 @@ async def snyk(
     result: list[module_utils.Message] = []
 
     env["PATH"] = f'{env["HOME"]}/.local/bin:{env["PATH"]}'
+
+    await _select_java_version(config, local_config, env)
+
     _LOGGER.debug("Updated path: %s", env["PATH"])
 
     await _install_requirements_dependencies(config, local_config, result, env)
@@ -120,6 +123,35 @@ async def snyk(
     return result, fix_message, return_message, fix_success
 
 
+async def _select_java_version(
+    config: configuration.SnykConfiguration,
+    local_config: configuration.SnykConfiguration,
+    env: dict[str, str],
+) -> None:
+
+    if not os.path.exists("gradlew"):
+        return
+
+    gradle_version_out = subprocess.run(
+        ["./gradlew", "--version"], capture_output=True, check=True, encoding="utf-8"
+    ).stdout.splitlines()
+    gradle_version_out = [line for line in gradle_version_out if "Gradle" in line]
+    gradle_version = gradle_version_out[0].split()[1]
+
+    minor_gradle_version = ".".join(gradle_version.split(".")[0:2])
+
+    java_path_for_gradle = local_config.get("java-path-for-gradle", config.get("java-path-for-gradle", {}))
+    if minor_gradle_version not in java_path_for_gradle:
+        _LOGGER.warning(
+            "Gradle version %s is not in the configuration: %s.",
+            gradle_version,
+            ", ".join(java_path_for_gradle.keys()),
+        )
+        return
+
+    env["PATH"] = f'{java_path_for_gradle[minor_gradle_version]}:{env["PATH"]}'
+
+
 async def _install_requirements_dependencies(
     config: configuration.SnykConfiguration,
     local_config: configuration.SnykConfiguration,