Bug: osv-scanner and gradle needs a different lockfile

[dkowis]

What happened?

I think this is the right way to support the version lockfile on gradle: google/osv-scanner#915

I have noticed that the plugin.toml for osv-scanner does not include that path.

Should it include: "**/gradle/verification-metadata.xml" in the globs?

It's generated by this: https://docs.gradle.org/current/userguide/dependency_verification.html

Happy to make a PR, but I'm not sure yet if that's the right way to do it.

What did you expect to happen?

osv-scanner should run against a gradle project.

Can you reproduce the problem?

Yes, consistently

CLI Version

qlty 0.574.0 macos-arm64 (450dd70 2025-09-12)

Relevant log output

❯ qlty check --all --filter osv-scanner --verbose --no-cache
     [0/1] 🤔  Planning...  0.05s
     [1/1] 🔍  Analyzing all targets...
 JOBS: 0

Plugin  Result  Targets  Time  Debug File

✔ No issues


The project has a build.gradle.kts file, and I've created a metadata verification:

❯ ls gradle/
 libs.versions.toml   verification-metadata.xml   wrapper


But the qlty auto-detection bits don't work.

[dkowis]

I did build a test branch of it locally, including that new glob, and it did indeed run once I created the gradle metadata file.