Detect dependencies in Gradle included builds

[gabrielfeo]

Detect already supported Gradle dependency files inside included builds and buildSrc.

Goal

Dependabot currently supports dependencies in build.gradle and other buildscripts in the main build. However, these files can be present in the same format in other builds part of the main one: included builds. They can be easily supported by the current file parsing and updating implementation, since they're in the same format, most changes being in fetching files in the additional folders.

• Usual project build.gradle
• Similar build.gradle in an included build (currently not fetched by Dependabot)

Closes #4375

What are included builds?

In Gradle, a single build is composed of one root project with zero or more subprojects. A single build can also include other independent builds, each with its own settings file and root project (and maybe their own included builds):

main-build
\_settings.gradle
\_subproject
\_included-build
    \_settings.gradle
   \_build.gradle
   \_subproject
   \_nested-included-build
      \_settings.gradle
...

An included build is declared explicitly in settings.gradle:

includeBuild './included'
include ':app'
// ...

buildSrc is a special case. It's "treated as an included build". It's included in the build if the directory is named buildSrc regardless of being declared in settings.gradle. Not to be confused with the common pattern of declaring dependencies in code such as Kotlin classes inside buildSrc (#2180, example). That pattern is not supported and not a goal of this PR.

Changes

• c6bf538 Detect includeBuild in Gradle SettingsFileParser
• 0267202 Refactor FileFetcher to support transitive search. Supported files were always considered to be in the main build root project or main build subprojects. They should now be relative to the dir of current build being examined, the main one or included ones.
• c66e1e827 Fetch files of included builds in Gradle FileFetcher. Read includeBuild in every build's settings file and walk. Nothing changes if there's no included builds.
• 842c66a99 Support buildSrc as an included build. buildSrc is an implicit included build, check for it even if it's not manually declared.

Dry run examples

In regards to finding the update of Kotlin 1.6.10 -> 1.6.21 in this build.gradle.kts, which is inside an included build directory.

Current behavior: doesn't detect the Kotlin update because it doesn't detect and fetch files of included builds (test branch)

New behavior: detects the Kotlin update because it parses included build paths and fetches supported files inside (test branch 1 and 2)

[gabrielfeo]

Hey @jakecoffman, maybe you can take look at this? :)

[LeoColman]

Hey guys!
This is important and the work is already done. Could you take a look? @jakecoffman

[dgaillard2]

Any news about with this PR ? Waiting for such changes

[Nishnha]

Hi @gabrielfeo, we really apologize for the delays here. There is no reason this could't have been deployed earlier.

Since this is now in production, it would be great if you could check that this is working as intended since you have familiarity with the standard.

Thank you for the contribution!

[gabrielfeo]

Hi @gabrielfeo, we really apologize for the delays here. There is no reason this could't have been deployed earlier.

Since this is now in production, it would be great if you could check that this is working as intended since you have familiarity with the standard.

Thank you for the contribution!

Working as intended, @Nishnha! E.g. gabrielfeo/50-72#61. Thank you for reviewing.

We might be able to close #2180 also, but that wasn't the goal. I can test it further, not sure OP and latest comments are talking about the same thing.