Skip to content

RUST-137 Add gradle/verification-metadata.xml for dependency verification#226

Merged
romainbrenguier merged 9 commits into
masterfrom
tibor/add-gradle-verification-metadata
Apr 27, 2026
Merged

RUST-137 Add gradle/verification-metadata.xml for dependency verification#226
romainbrenguier merged 9 commits into
masterfrom
tibor/add-gradle-verification-metadata

Conversation

@saberduck

@saberduck saberduck commented Apr 27, 2026
edited
Loading

Copy link
Copy Markdown
Contributor
  • Adds SHA-256 checksums for all resolved Gradle dependencies
  • Provides supply-chain integrity guarantees (artifacts verified against known checksums on each build)
  • Signatures verification (verify-signatures) left as false (checksums only, standard first-step setup)

@saberduck
Add gradle/verification-metadata.xml for dependency verification
d9d50ad 
Records SHA-256 checksums for all resolved dependencies, providing
supply-chain guarantees. Also satisfies SonarQube rule S8569 which
requires either gradle.lockfile or gradle/verification-metadata.xml
next to each build.gradle.kts.
@saberduck saberduck requested a review from a team as a code owner April 27, 2026 09:37
@hashicorp-vault-sonar-prod hashicorp-vault-sonar-prod Bot changed the title Add gradle/verification-metadata.xml for dependency verification RUST-137 Add gradle/verification-metadata.xml for dependency verification Apr 27, 2026
@hashicorp-vault-sonar-prod

hashicorp-vault-sonar-prod Bot commented Apr 27, 2026
edited by atlassian Bot
Loading

Copy link
Copy Markdown
Contributor

RUST-137

@sonar-review-alpha

sonar-review-alpha Bot commented Apr 27, 2026
edited
Loading

Copy link
Copy Markdown

Summary

This PR adds Gradle dependency verification via gradle/verification-metadata.xml, containing SHA-256 checksums for all resolved dependencies. This implements supply-chain integrity checks for the build without requiring signed artifacts.

The PR also updates the build configuration to use SonarSource's Artifactory repository (repox.jfrog.io) for plugin resolution, and adds the SonarSource/ci-github-actions/config-gradle@v1 action to CI workflows to configure Gradle credentials at build time. These supporting changes enable the verification metadata to be used effectively in CI/CD.

Signature verification is disabled (checksums only), as noted in the author's description—this represents a common first-step setup before progressing to full signature validation.

What reviewers should know

What to review:

  1. gradle/verification-metadata.xml (~1200 lines) — This file contains the SHA-256 hashes for every dependency (JARs and POMs). Check that it's properly formatted and includes all expected components. The file is large but mechanically generated; spot-check a few entries to confirm hash formatting.

  2. Artifactory configuration in settings.gradle.kts, buildSrc/build.gradle.kts, and e2e/build.gradle.kts — Ensures build scripts can reach the repox.jfrog.io repository. Credentials come from environment variables or Gradle properties; verify fallback handling looks safe.

  3. CI workflow updates (.github/workflows/build.yml) — The SonarSource/ci-github-actions/config-gradle@v1 action is added before Gradle invocations to inject credentials. Verify it's placed correctly (before builds that need Artifactory access) and consistently across all jobs.

Key details for reviewers:

  • The verification metadata currently allows checksums only (verify-signatures: false). This is intentional per the author's note.
  • Artifactory is required because some dependencies (or plugins) are published to SonarSource's private repository, not Maven Central.
  • The metadata file references "Generated by Gradle," indicating it was generated locally—consider how this will be updated (manually regenerated periodically vs. automated CI task).
  • The PR supersedes #225 (gradle.lockfile approach) if merged.
  • Generate Walkthrough
  • Generate Diagram

🗣️ Give feedback

sonar-review-alpha[bot]

This comment was marked as outdated.

Sign in to view

@saberduck
Route all dependency resolution through repox
88605f8 
Add pluginManagement in settings.gradle.kts and update buildSrc and e2e
to resolve through repox first, following the same pattern as sonar-skunk.
This ensures verification-metadata.xml checksums match on CI where all
artifacts are fetched through repox.
sonar-review-alpha[bot]

This comment was marked as resolved.

Sign in to view

sonar-review-alpha[bot]

This comment was marked as outdated.

Sign in to view

sonar-review-alpha[bot]

This comment was marked as outdated.

Sign in to view

sonar-review-alpha[bot]

This comment was marked as outdated.

Sign in to view

sonar-review-alpha[bot]

This comment was marked as outdated.

Sign in to view

@saberduck
Add gradlePluginPortal fallback in pluginManagement
e26f2f7 
The cross_platform_analyzers CI job has no Artifactory credentials, so
plugins can only be resolved via Gradle Plugin Portal when repox returns 401.
sonar-review-alpha[bot]

This comment was marked as outdated.

Sign in to view

sonar-review-alpha[bot]
sonar-review-alpha Bot reviewed Apr 27, 2026
View reviewed changes

@sonar-review-alpha sonar-review-alpha Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! ✅

🗣️ Give feedback

@sonarqube-next

sonarqube-next Bot commented Apr 27, 2026

Copy link
Copy Markdown

Quality Gate passed Quality Gate passed for 'sonar-rust'

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

romainbrenguier
romainbrenguier reviewed Apr 27, 2026
View reviewed changes

@romainbrenguier romainbrenguier left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That looks OK, but I think you need to verify the metadata and then change the "Generated by Gradle" to "Verified"

@romainbrenguier romainbrenguier self-requested a review April 27, 2026 14:30
@romainbrenguier romainbrenguier merged commit 1f7eb9f into master Apr 27, 2026
21 of 24 checks passed
@romainbrenguier romainbrenguier deleted the tibor/add-gradle-verification-metadata branch April 27, 2026 14:30
@saberduck saberduck mentioned this pull request Apr 27, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@romainbrenguier romainbrenguier romainbrenguier approved these changes

+1 more reviewer

@sonar-review-alpha sonar-review-alpha[bot] sonar-review-alpha[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@saberduck @romainbrenguier