Custom Metadata in Gradle dependency descriptor

Question

This is how i have added dependencies in my build.gradle

 // Dependency Versioning
    apply plugin: 'io.spring.dependency-management'
    dependencyManagement {
        imports {
            mavenBom 'org.springframework.cloud:spring-cloud-dependencies:Edgware.RELEASE'
            mavenBom 'io.pivotal.spring.cloud:spring-cloud-services-dependencies:1.5.0.RELEASE'
            mavenBom 'org.springframework.boot:spring-boot-dependencies:1.5.15.RELEASE'

        }
        dependencies {

            dependency 'io.springfox:springfox-swagger2:2.8.0'
            dependency 'io.springfox:springfox-swagger-ui:2.8.0'

            dependency 'org.flywaydb:flyway-core:4.2.0'
            dependency 'com.microsoft.sqlserver:mssql-jdbc:6.2.2.jre8'
        }
    }

I am looking to add a custom-number with each dependency. This number is our Approval number provided by our Architecture team for approval of using that dependency within our enterprise..

Say if my Architecture team has Approved to use io.springfox:springfox-swagger2:2.8.0 dependency and if the approval number is APPL-1054 then i have to add this number also as a metadata along within the dependency tag with which i will have a different gradle task to consume those numbers

something that looks like dependency 'io.springfox:springfox-swagger2:2.8.0' : APPL-1054

Please help with your ideas

Answer 1

You could set the approvals in a Map then use dependency resolution to validate the approvals. The map could come from some web source as long as you can get it to a map somehow. Here is a simple example

buildscript {
    repositories {
        jcenter()
    }
    dependencies {
        gradleApi()
    }
}

group 'com.stackoverflow'
version '1.0-SNAPSHOT'

repositories {
    jcenter()
}

configurations {
    audited.extendsFrom(compile)
}

Map<String, Object> approvedDeps = [
        'junit:junit:4.12': 'APPROVAL-1234'
]

dependencies {
    compile gradleApi()
    audited 'junit:junit:4.12'
    audited 'org.mockito:mockito-android:2.22.0'
}
dependencies {
    components {
        all { ComponentMetadataDetails details ->
            String requestedArtifact = "${details.id.group}:${details.id.name}:${details.id.version}"
            String approvalCode = approvedDeps[requestedArtifact]
            if (approvalCode == null) {
                throw new GradleException("Use of unapproved dependency (${requestedArtifact})")
            }
            logger.lifecycle("Requested dependency (${requestedArtifact}) is approved: ${approvalCode}")
            return details
        }
    }
}

// lets fake some action that would trigger dependency resolution
configurations.eachWithIndex { Configuration entry, int index ->
    if (entry.canBeResolved) {
        entry.resolve()
        print("Resolved index: ${index}")
    }

}

Now if we run ./gradlew clean build we get an error as an unapproved dependency was added.

$ ./gradlew clean build

> Configure project :
Requested dependency (junit:junit:4.12) is approved: APPROVAL-1234

FAILURE: Build failed with an exception.

* Where:
Build file '/Users/jonstanford/dev/stackoverflow/q52427676/build.gradle' line: 36

* What went wrong:
A problem occurred evaluating root project 'q52427676'.
> Could not resolve all dependencies for configuration ':audited'.
   > There was an error while evaluating a component metadata rule for org.mockito:mockito-android:2.22.0.
      > Use of unapproved dependency (org.mockito:mockito-android:2.22.0)

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 0s

Of course you could move this functionality to a custom plugin or such but I think the base idea holds.