Skip to content

RUST-136 Add missing gradle.lockfile for root project#225

Merged
saberduck merged 1 commit into
masterfrom
tibor/fix-dependency-locking-root
Apr 27, 2026
Merged

RUST-136 Add missing gradle.lockfile for root project#225
saberduck merged 1 commit into
masterfrom
tibor/fix-dependency-locking-root

Conversation

@saberduck

@saberduck saberduck commented Apr 27, 2026

Copy link
Copy Markdown
Contributor
  • Root project has no resolvable configurations so Gradle never generates a lockfile for it
  • SonarQube rule S8569 (LockfileForJavaCheck) checks for lockfile presence on any build.gradle.kts that is not a submodule, regardless of build file content
  • Adding an empty lockfile satisfies the rule and unblocks the quality gate

@saberduck
Add missing gradle.lockfile for root project
447025b 
The root project has no resolvable configurations so Gradle never
generates a lockfile for it, triggering SonarQube rule S8569 which
checks for lockfile presence on any build.gradle.kts outside a submodule.
@saberduck saberduck requested a review from a team as a code owner April 27, 2026 09:31
@hashicorp-vault-sonar-prod hashicorp-vault-sonar-prod Bot changed the title Add missing gradle.lockfile for root project RUST-136 Add missing gradle.lockfile for root project Apr 27, 2026
@hashicorp-vault-sonar-prod

hashicorp-vault-sonar-prod Bot commented Apr 27, 2026
edited by atlassian Bot
Loading

Copy link
Copy Markdown
Contributor

RUST-136

@sonar-review-alpha

sonar-review-alpha Bot commented Apr 27, 2026
edited
Loading

Copy link
Copy Markdown

Summary

This PR adds a minimal gradle.lockfile to the root project to satisfy the SonarQube rule S8569, which requires lockfiles on all top-level build.gradle.kts files.

The root project itself has no resolvable dependency configurations—it only contains plugin declarations and shared build logic—so Gradle never generates a lockfile for it. However, the SonarQube check doesn't distinguish between projects with dependencies and those without, so an empty lockfile with the standard boilerplate comment is added. This unblocks the quality gate without changing any actual build behavior.

What reviewers should know

Context for reviewers:

  • The root build.gradle.kts enables dependencyLocking { lockAllConfigurations() } for all projects, which should ensure every project has a lockfile.
  • Other subprojects (buildSrc, sonar-rust-plugin, e2e) already have their own lockfiles with actual locked dependencies.
  • The new root lockfile contains only empty= because there are no dependency configurations to lock at that level—just plugins and shared build configuration.
  • This is a minimal, non-invasive change that does not affect build behavior; it purely satisfies a static analysis requirement.

Nothing to verify:

  • The lockfile format is standard and follows the pattern of existing lockfiles in the project.
  • No actual build or dependency changes are involved.
  • Generate Walkthrough
  • Generate Diagram

🗣️ Give feedback

sonar-review-alpha[bot]
sonar-review-alpha Bot reviewed Apr 27, 2026
View reviewed changes

@sonar-review-alpha sonar-review-alpha Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! ✅

Clean, minimal fix. The empty= format (no configuration names) is the correct Gradle output for a project with zero resolvable configurations — distinct from empty=configName which other subprojects use to list configurations that exist but have no locked dependencies. The .gitignore does not exclude gradle.lockfile, so the file will be tracked correctly. No CI steps regenerate or verify lockfiles in a way that would conflict. If the root project later gains resolvable configurations, ./gradlew dependencies --write-locks will update the file automatically.

🗣️ Give feedback

@saberduck saberduck mentioned this pull request Apr 27, 2026
Merged
romainbrenguier
romainbrenguier approved these changes Apr 27, 2026
View reviewed changes

@romainbrenguier romainbrenguier left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For me that's a false positive, since we already have settings-gradle.lockfile.

@saberduck

saberduck commented Apr 27, 2026

Copy link
Copy Markdown
Contributor Author

For me that's a false positive, since we already have settings-gradle.lockfile.

yes, I reported to the cloud security squad

@saberduck saberduck enabled auto-merge (squash) April 27, 2026 09:42
@sonarqube-next

sonarqube-next Bot commented Apr 27, 2026

Copy link
Copy Markdown

Quality Gate passed Quality Gate passed for 'sonar-rust'

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
No data about Duplication

See analysis details on SonarQube

@saberduck saberduck merged commit 83592fd into master Apr 27, 2026
16 checks passed
@saberduck saberduck deleted the tibor/fix-dependency-locking-root branch April 27, 2026 10:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@romainbrenguier romainbrenguier romainbrenguier approved these changes

+1 more reviewer

@sonar-review-alpha sonar-review-alpha[bot] sonar-review-alpha[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@saberduck @romainbrenguier