feat: handle Gradle build files and validate them

Signed-off-by: behnazh-w <[email protected]>

Author: behnazh-w

src/macaron/build_spec_generator/common_spec/core.py

@@ -146,12 +146,19 @@ def get_macaron_build_tools(
     for fact in build_tool_facts:
         if fact.language.lower() == target_language:
             try:
-                build_tools[MacaronBuildToolName(fact.build_tool_name).value] = {
+                tool_name = MacaronBuildToolName(fact.build_tool_name).value
+                build_tool_info = {
                     "build_config_path": fact.build_config_path,
                     "confidence_score": fact.confidence,
                     "build_tool_version": fact.build_tool_version,
                     "root_build_config_path": fact.root_build_config_path,
                 }
+                existing_build_tool_info = build_tools.get(tool_name)
+                if (
+                    existing_build_tool_info is None
+                    or build_tool_info["confidence_score"] > existing_build_tool_info["confidence_score"]
+                ):
+                    build_tools[tool_name] = build_tool_info
             except ValueError:
                 continue
     return build_tools or None

src/macaron/parsers/gradleparser.py

@@ -0,0 +1,254 @@
+# Copyright (c) 2026 - 2026, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+"""This module contains helpers for parsing Gradle build configuration files."""
+
+import logging
+import re
+from pathlib import Path
+
+logger: logging.Logger = logging.getLogger(__name__)
+
+
+def _extract_assignment_value(file_path: Path, keys: set[str]) -> str | None:
+    """Extract an assignment value for a supported key from a Gradle-like file.
+
+    Parameters
+    ----------
+    file_path : Path
+        The file to inspect.
+    keys : set[str]
+        Accepted key names (for example ``{"group"}`` or ``{"rootProject.name"}``).
+
+    Returns
+    -------
+    str | None
+        The extracted value if a matching ``key = value`` assignment is found;
+        otherwise ``None``.
+    """
+    if not file_path.is_file():
+        return None
+
+    try:
+        lines = file_path.read_text(encoding="utf-8", errors="ignore").splitlines()
+    except OSError as error:
+        logger.debug("Failed to read Gradle file %s: %s", str(file_path), error)
+        return None
+
+    assignment_re = re.compile(r"^\s*([A-Za-z0-9_.]+)\s*=\s*(.+?)\s*$")
+    for line in lines:
+        try:
+            match = assignment_re.match(line)
+        except re.error as error:
+            logger.debug("Failed to apply assignment regex on %s: %s", str(file_path), error)
+            continue
+        if not match:
+            continue
+
+        key = match.group(1).strip()
+        if key not in keys:
+            continue
+
+        raw_value = match.group(2).strip()
+        if len(raw_value) >= 2 and raw_value[0] == raw_value[-1] and raw_value[0] in {"'", '"'}:
+            raw_value = raw_value[1:-1]
+        return raw_value
+
+    return None
+
+
+def extract_gav_from_gradle_project(project_path: Path) -> tuple[str | None, str | None, str | None]:
+    """Extract Gradle coordinates (group, artifact, version) from project files.
+
+    Parameters
+    ----------
+    project_path : Path
+        Path to the root directory of a Gradle project.
+
+    Returns
+    -------
+    tuple[str | None, str | None, str | None]
+        A tuple of ``(group_id, artifact_id, version)`` extracted from common
+        Gradle configuration files. Any missing value is returned as ``None``.
+
+    Notes
+    -----
+    This parser is intentionally lightweight and matches direct ``key = value``
+    assignments only. It does not evaluate expressions or variable references.
+    """
+    group_id = (
+        _extract_assignment_value(
+            project_path.joinpath("gradle.properties"), {"group", "projectGroup", "projectGroupId"}
+        )
+        or _extract_assignment_value(project_path.joinpath("build.gradle"), {"group"})
+        or _extract_assignment_value(project_path.joinpath("build.gradle.kts"), {"group"})
+    )
+    artifact_id = (
+        _extract_assignment_value(project_path.joinpath("settings.gradle"), {"rootProject.name"})
+        or _extract_assignment_value(project_path.joinpath("settings.gradle.kts"), {"rootProject.name"})
+        or _extract_assignment_value(project_path.joinpath("gradle.properties"), {"name"})
+    )
+    version = (
+        _extract_assignment_value(project_path.joinpath("gradle.properties"), {"version", "projectVersion"})
+        or _extract_assignment_value(project_path.joinpath("build.gradle"), {"version"})
+        or _extract_assignment_value(project_path.joinpath("build.gradle.kts"), {"version"})
+    )
+
+    if group_id is None:
+        logger.debug("Could not find group id in Gradle project: %s", str(project_path))
+    if artifact_id is None:
+        logger.debug("Could not find artifact id in Gradle project: %s", str(project_path))
+    if version is None:
+        logger.debug("Could not find version in Gradle project: %s", str(project_path))
+
+    return group_id, artifact_id, version
+
+
+def gradle_settings_has_modules(settings_path: Path) -> bool:
+    """Check whether a Gradle settings file declares one or more modules.
+
+    Parameters
+    ----------
+    settings_path : Path
+        Path to a ``settings.gradle`` or ``settings.gradle.kts`` file.
+
+    Returns
+    -------
+    bool
+        ``True`` when the file contains an ``include`` declaration; otherwise
+        ``False``.
+    """
+    if not settings_path.is_file():
+        return False
+
+    try:
+        lines = settings_path.read_text(encoding="utf-8", errors="ignore").splitlines()
+    except OSError as error:
+        logger.debug("Failed to read Gradle settings file %s: %s", str(settings_path), error)
+        return False
+
+    for line in lines:
+        stripped = line.strip()
+        if re.match(r"^include\s+.+", stripped) or re.match(r"^include\s*\(.+\)", stripped):
+            return True
+
+    return False
+
+
+def extract_included_gradle_modules(settings_path: Path) -> list[str]:
+    """Extract module include entries from a Gradle settings file.
+
+    Parameters
+    ----------
+    settings_path : Path
+        Path to a ``settings.gradle`` or ``settings.gradle.kts`` file.
+
+    Returns
+    -------
+    list[str]
+        Ordered list of module paths declared by ``include`` statements.
+    """
+    if not settings_path.is_file():
+        return []
+
+    try:
+        lines = settings_path.read_text(encoding="utf-8", errors="ignore").splitlines()
+    except OSError as error:
+        logger.debug("Failed to read Gradle settings file %s: %s", str(settings_path), error)
+        return []
+
+    modules: list[str] = []
+    quoted_value_re = re.compile(r"""['"]([^'"]+)['"]""")
+    for line in lines:
+        stripped = line.strip()
+        if not stripped.startswith("include"):
+            continue
+        modules.extend(match.group(1).strip() for match in quoted_value_re.finditer(stripped) if match.group(1).strip())
+    return modules
+
+
+def find_matching_gradle_module_build_configs(repo_root: Path, artifact_id: str) -> list[Path]:
+    """Find module build config files likely associated with the given artifact id.
+
+    Parameters
+    ----------
+    repo_root : Path
+        Root directory of the Gradle repository.
+    artifact_id : str
+        Expected artifact id.
+
+    Returns
+    -------
+    list[Path]
+        Candidate module build files (for example ``module/build.gradle``)
+        associated with the artifact id.
+    """
+    candidates: list[Path] = []
+    seen: set[Path] = set()
+    for settings_name in ("settings.gradle", "settings.gradle.kts"):
+        settings_path = repo_root.joinpath(settings_name)
+        for module in extract_included_gradle_modules(settings_path):
+            module_path = module.strip().strip(":")
+            if not module_path:
+                continue
+            module_name = module_path.split(":")[-1]
+            if artifact_id != module_name and not artifact_id.endswith(f"-{module_name}"):
+                continue
+            module_dir = repo_root.joinpath(*module_path.split(":"))
+            for build_name in ("build.gradle", "build.gradle.kts"):
+                config_path = module_dir.joinpath(build_name)
+                if config_path.is_file() and config_path not in seen:
+                    seen.add(config_path)
+                    candidates.append(config_path)
+
+    return candidates
+
+
+def find_nearest_modules_gradle_config(
+    config_path: Path,
+    repo_root: str | Path,
+    *,
+    max_depth: int = 50,
+) -> str | None:
+    """Find the nearest ancestor Gradle settings file that defines modules.
+
+    Parameters
+    ----------
+    config_path : Path
+        Path to the starting Gradle configuration file.
+    repo_root : str | Path
+        Repository root used to bound parent traversal and return a relative path.
+    max_depth : int, optional
+        Maximum number of parent-directory hops. Defaults to ``50``.
+
+    Returns
+    -------
+    str | None
+        Path to the nearest settings file relative to ``repo_root`` if it
+        contains ``include`` declarations. Returns ``None`` otherwise.
+    """
+    repo_root = Path(repo_root).resolve()
+    current_dir = config_path.parent.resolve()
+    depth = 0
+
+    while True:
+        for settings_name in ("settings.gradle", "settings.gradle.kts"):
+            settings_path = current_dir.joinpath(settings_name)
+            if gradle_settings_has_modules(settings_path):
+                try:
+                    return str(settings_path.relative_to(repo_root))
+                except ValueError:
+                    return None
+
+        if current_dir == repo_root:
+            return None
+
+        depth += 1
+        if depth > max_depth:
+            return None
+
+        parent_dir = current_dir.parent
+        if parent_dir == current_dir:
+            return None
+
+        current_dir = parent_dir

src/macaron/parsers/pomparser.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2024 - 2026, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module contains the parser for POM files."""
@@ -76,7 +76,7 @@ def extract_gav_from_pom(pom_file: Path) -> tuple[str | None, str | None, str |
     pom_root = parse_pom_string(pom_content)
 
     if pom_root is None:
-        logger.debug("Could not parse pom.xml: %s", pom_file.as_posix())
+        logger.debug("Could not parse pom.xml: %s", str(pom_file))
         return None, None, None
 
     def _find_child_text(parent, local_name: str) -> str | None:
@@ -98,11 +98,11 @@ def _find_child_text(parent, local_name: str) -> str | None:
             group_id = _find_child_text(parent_elem, "groupId")
 
     if group_id is None:
-        logger.debug("Could not find groupId in pom.xml (project or parent): %s", pom_file.as_posix())
+        logger.debug("Could not find groupId in pom.xml (project or parent): %s", str(pom_file))
     if artifact_id is None:
-        logger.debug("Could not find artifactId in pom.xml: %s", pom_file.as_posix())
+        logger.debug("Could not find artifactId in pom.xml: %s", str(pom_file))
     if version is None:
-        logger.debug("Could not find version in pom.xml: %s", pom_file.as_posix())
+        logger.debug("Could not find version in pom.xml: %s", str(pom_file))
 
     return group_id, artifact_id, version
 
@@ -114,9 +114,10 @@ def detect_parent_pom(pom_path: Path, repo_root: str | Path) -> str | None:
     file path using Maven semantics:
 
     * If `<project>/<parent>/<relativePath>` is present and non-empty, that path
-    (relative to the directory containing `pom.xml`) is used.
+      (relative to the directory containing `pom.xml`) is used.
     * Otherwise Maven defaults to ``../pom.xml``.
-    see https://maven.apache.org/ref/3.0/maven-model/maven.html#class_parent
+
+    See https://maven.apache.org/ref/3.0/maven-model/maven.html#class_parent.
 
     If the resolved parent POM exists on disk and is within `repo_root`, this
     returns its path relative to `repo_root`. Otherwise returns ``None``.

src/macaron/slsa_analyzer/analyzer.py

@@ -1050,7 +1050,7 @@ def _determine_build_tools(self, analyze_ctx: AnalyzeContext, git_service: BaseG
                 continue
 
             if build_tool.match_purl_type(analyze_ctx.component.type):
-                if build_tool.name not in ["pip", "maven", "hatch"]:
+                if build_tool.name not in ["pip", "maven", "hatch", "gradle"]:
                     continue
                 logger.info(
                     "Checking if the repo %s uses build tool %s",
@@ -1060,8 +1060,8 @@ def _determine_build_tools(self, analyze_ctx: AnalyzeContext, git_service: BaseG
 
                 if build_tool_configs := build_tool.is_detected(
                     analyze_ctx.component.repository.fs_path,
-                    groupID=analyze_ctx.component.namespace,
-                    artifactID=analyze_ctx.component.name,
+                    group_id=analyze_ctx.component.namespace,
+                    artifact_id=analyze_ctx.component.name,
                 ):
                     logger.info("The repo uses %s build tool.", build_tool.name)
                     build_tool.set_build_tool_configurations(build_tool_configs)

src/macaron/slsa_analyzer/build_tool/base_build_tool.py

@@ -234,7 +234,7 @@ def __str__(self) -> str:
 
     @abstractmethod
     def is_detected(
-        self, repo_path: str, groupID: str | None = None, artifactID: str | None = None
+        self, repo_path: str, group_id: str | None = None, artifact_id: str | None = None
     ) -> list[tuple[str, float, str | None, str | None]]:
         """
         Return the list of build tools and their information used in the target repo.
@@ -243,11 +243,11 @@ def is_detected(
         ----------
         repo_path : str
             The path to the target repo.
-        groupID : str | None
+        group_id : str | None
             Optional Maven `groupId` used to refine detection (e.g., selecting the
             correct `pom.xml` when multiple are present). If ``None``, no filtering
             is applied.
-        artifactID : str | None
+        artifact_id : str | None
             Optional Maven `artifactId` used to refine detection. If ``None``, no
             filtering is applied.
 

src/macaron/slsa_analyzer/build_tool/conda.py

@@ -43,7 +43,7 @@ def load_defaults(self) -> None:
                     self.ci_deploy_kws[item] = defaults.get_list("builder.conda.ci.deploy", item)
 
     def is_detected(
-        self, repo_path: str, groupID: str | None = None, artifactID: str | None = None
+        self, repo_path: str, group_id: str | None = None, artifact_id: str | None = None
     ) -> list[tuple[str, float, str | None, str | None]]:
         """
         Return the list of build tools and their information used in the target repo.
@@ -52,11 +52,11 @@ def is_detected(
         ----------
         repo_path : str
             The path to the target repo.
-        groupID : str | None
+        group_id : str | None
             Optional Maven `groupId` used to refine detection (e.g., selecting the
             correct `pom.xml` when multiple are present). If ``None``, no filtering
             is applied.
-        artifactID : str | None
+        artifact_id : str | None
             Optional Maven `artifactId` used to refine detection. If ``None``, no
             filtering is applied.