Skip to content

feat(workspace): add Go workspace (go.work) discovery #445

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Strum355 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat(workspace): add Go workspace (go.work) discovery #445

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
eaae875
feat(workspace): add Gradle multi-project workspace discovery
Strum355 Apr 28, 2026
157d3c1
feat(workspace): add Go workspace (go.work) discovery
Strum355 Apr 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
177 changes: 176 additions & 1 deletion src/main/java/io/github/guacsec/trustifyda/impl/ExhortApi.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@
import io.github.guacsec.trustifyda.image.ImageUtils;
import io.github.guacsec.trustifyda.license.LicenseCheck;
import io.github.guacsec.trustifyda.logging.LoggersFactory;
import io.github.guacsec.trustifyda.providers.JavaMavenProvider;
import io.github.guacsec.trustifyda.providers.golang.model.GoWorkspace;
import io.github.guacsec.trustifyda.providers.javascript.workspace.JsWorkspaceDiscovery;
import io.github.guacsec.trustifyda.providers.rust.model.CargoMetadata;
import io.github.guacsec.trustifyda.tools.Ecosystem;
Expand Down Expand Up @@ -842,7 +844,7 @@ int resolveBatchConcurrency() {
}

private static final Set<String> DEFAULT_WORKSPACE_DISCOVERY_IGNORE =
Set.of("**/node_modules/**", "**/.git/**");
Set.of("**/node_modules/**", "**/.git/**", "**/target/**", "**/build/**", "**/.gradle/**");

/** Merges default ignore patterns, env var overrides, and caller-provided patterns. */
Set<String> resolveIgnorePatterns(Set<String> callerPatterns) {
Expand Down Expand Up @@ -875,6 +877,22 @@ List<Path> discoverWorkspaceManifests(Path workspaceDir, Set<String> ignorePatte
return discoverCargoManifests(workspaceDir, ignorePatterns);
}

// Gradle multi-project: settings.gradle or settings.gradle.kts
boolean hasGradleSettings =
Files.isRegularFile(workspaceDir.resolve("settings.gradle"))
|| Files.isRegularFile(workspaceDir.resolve("settings.gradle.kts"));
if (hasGradleSettings) {
return discoverGradleSubprojects(workspaceDir, ignorePatterns);
}

// Go workspace: go.work
if (Files.isRegularFile(workspaceDir.resolve("go.work"))) {
List<Path> goManifests = discoverGoWorkspaceModules(workspaceDir, ignorePatterns);
if (!goManifests.isEmpty()) {
return goManifests;
}
}

// JS workspace: require package.json + a lock file
Path packageJson = workspaceDir.resolve("package.json");
boolean hasJsLock =
Expand Down Expand Up @@ -930,6 +948,163 @@ private List<Path> discoverCargoManifests(Path workspaceDir, Set<String> ignoreP
}
}

/**
* Discover all go.mod manifest paths in a Go workspace. Uses {@code go work edit -json} to get
* workspace members.
*/
private List<Path> discoverGoWorkspaceModules(Path workspaceDir, Set<String> ignorePatterns) {
try {
String goBin = Operations.getCustomPathOrElse("go");
Path goWork = workspaceDir.resolve("go.work");
Operations.ProcessExecOutput output =
Operations.runProcessGetFullOutput(
workspaceDir, new String[] {goBin, "work", "edit", "-json", goWork.toString()}, null);
if (output.getExitCode() != 0) {
LOG.warning("go work edit -json failed with exit code " + output.getExitCode());
return Collections.emptyList();
}
GoWorkspace workspace = mapper.readValue(output.getOutput(), GoWorkspace.class);
if (workspace.use() == null || workspace.use().isEmpty()) {
return Collections.emptyList();
}
List<Path> manifests = new ArrayList<>();
for (var entry : workspace.use()) {
if (entry.diskPath() == null || entry.diskPath().isBlank()) {
continue;
}
Path moduleDir = workspaceDir.resolve(entry.diskPath()).normalize();
Path goMod = moduleDir.resolve("go.mod");
if (Files.isRegularFile(goMod)) {
manifests.add(goMod);
}
}
return WorkspaceUtils.filterByIgnorePatterns(workspaceDir, manifests, ignorePatterns);
} catch (Exception e) {
LOG.warning("Failed to discover Go workspace modules: " + e.getMessage());
return Collections.emptyList();
}
}

private static final String GRADLE_INIT_SCRIPT =
"allprojects {\n"
+ " task daListProjects {\n"
+ " doLast {\n"
+ " println \"::DA_PROJECT::${project.path}::${project.projectDir}\"\n"
+ " }\n"
+ " }\n"
+ "}\n";

/**
* Resolve the Gradle binary, preferring gradlew wrapper when available and configured.
*
* @param startDir directory from which to start the wrapper search
* @return path to the Gradle binary
*/
private static String resolveGradleBinary(Path startDir) {
if (Operations.getWrapperPreference("gradle")) {
String wrapperName = Operations.isWindows() ? "gradlew.bat" : "gradlew";
String wrapper =
JavaMavenProvider.traverseForMvnw(
wrapperName, startDir.resolve("build.gradle").toString());
if (wrapper != null) {
return wrapper;
}
}
return Operations.getCustomPathOrElse("gradle");
}

/**
* Discover all build.gradle[.kts] manifest paths in a Gradle multi-project build. Uses a custom
* init script to get a structured project listing.
*/
private List<Path> discoverGradleSubprojects(Path workspaceDir, Set<String> ignorePatterns) {
Path rootBuildKts = workspaceDir.resolve("build.gradle.kts");
Path rootBuild = workspaceDir.resolve("build.gradle");

List<Path> manifestPaths = new ArrayList<>();
if (Files.isRegularFile(rootBuildKts)) {
manifestPaths.add(rootBuildKts);
} else if (Files.isRegularFile(rootBuild)) {
manifestPaths.add(rootBuild);
}

String gradleBin = resolveGradleBinary(workspaceDir);
Path initScriptPath = null;
try {
initScriptPath = Files.createTempFile("da-list-projects-", ".gradle");
Files.writeString(initScriptPath, GRADLE_INIT_SCRIPT);

Operations.ProcessExecOutput output =
Operations.runProcessGetFullOutput(
workspaceDir,
new String[] {
gradleBin,
"-q",
"--no-daemon",
"--init-script",
initScriptPath.toString(),
"daListProjects"
},
null);

if (output.getExitCode() != 0) {
LOG.warning("gradle daListProjects failed with exit code " + output.getExitCode());
return WorkspaceUtils.filterByIgnorePatterns(workspaceDir, manifestPaths, ignorePatterns);
}

for (var proj : parseGradleInitScriptOutput(output.getOutput())) {
if (":".equals(proj.path())) {
continue;
}
Path projDir = Path.of(proj.dir()).toAbsolutePath().normalize();
Path buildKts = projDir.resolve("build.gradle.kts");
Path buildGroovy = projDir.resolve("build.gradle");
if (Files.isRegularFile(buildKts)) {
manifestPaths.add(buildKts);
} else if (Files.isRegularFile(buildGroovy)) {
manifestPaths.add(buildGroovy);
}
}
} catch (Exception e) {
LOG.warning("Failed to discover Gradle subprojects: " + e.getMessage());
return WorkspaceUtils.filterByIgnorePatterns(workspaceDir, manifestPaths, ignorePatterns);
} finally {
if (initScriptPath != null) {
try {
Files.deleteIfExists(initScriptPath);
} catch (IOException ignored) {
}
}
}

return WorkspaceUtils.filterByIgnorePatterns(workspaceDir, manifestPaths, ignorePatterns);
}

record GradleProject(String path, String dir) {}

static List<GradleProject> parseGradleInitScriptOutput(String raw) {
if (raw == null || raw.isBlank()) {
return List.of();
}
List<GradleProject> projects = new ArrayList<>();
for (String line : raw.split("\n")) {
if (!line.startsWith("::DA_PROJECT::")) {
continue;
}
String[] parts = line.split("::");
List<String> nonEmpty = new ArrayList<>();
for (String part : parts) {
if (!part.isEmpty()) {
nonEmpty.add(part);
}
Comment on lines +1090 to +1099
Copy link
Copy Markdown
Contributor

@sourcery-ai sourcery-ai Bot Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue: Handle Windows CRLF and stray whitespace when parsing Gradle output lines.

This logic splits only on "\n" and never trims lines or parts. On Windows, Gradle often emits CRLF, so line and proj.dir() can include a trailing \r, leading to invalid paths and subprojects being skipped. Normalize the input (e.g., line = line.trim()) and/or trim each parsed part before creating GradleProject so \r and extra whitespace don’t end up in paths.

}
if (nonEmpty.size() >= 3) {
projects.add(new GradleProject(nonEmpty.get(1), nonEmpty.get(2)));
}
}
return projects;
}

/**
* Checks whether a package.json has "private": true, meaning it should not be analyzed as a
* publishable package.
Expand Down
29 changes: 29 additions & 0 deletions src/main/java/io/github/guacsec/trustifyda/providers/golang/model/GoWorkspace.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
/*
* Copyright 2023-2025 Trustify Dependency Analytics Authors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
*
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package io.github.guacsec.trustifyda.providers.golang.model;

import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
import com.fasterxml.jackson.annotation.JsonProperty;
import java.util.List;

/** JSON model for {@code go work edit -json} output. */
@JsonIgnoreProperties(ignoreUnknown = true)
public record GoWorkspace(@JsonProperty("Use") List<UseEntry> use) {

@JsonIgnoreProperties(ignoreUnknown = true)
public record UseEntry(@JsonProperty("DiskPath") String diskPath) {}
}
Loading
Loading