dependency-check-gradle icon indicating copy to clipboard operation
dependency-check-gradle copied to clipboard

Published 20 hours ago verified publisher icon dependency-check

Gradle task :dependencyCheckAnalyze gives different result depending on version of AGP

Open Pururun opened this issue 1 year ago • 1 comments
trafficstars

(This is copied from https://github.com/jeremylong/DependencyCheck/issues/6740 where I by accident posted this issue first)

Describe the bug Running the :dependencyCheckAnalyze gradle task gives different result depending on which version of the android gradle plugin is used. This is despite the dependencies that generate the CVE errors have not changed.

Version of dependency-check used Using org.owasp:dependency-check-gradle:9.2.0 Also seen this behaviour on 9.0.9

Log file https://gist.github.com/Pururun/89199a37e9794bac5969193f2a5ed685

To Reproduce Update to AGP 8.4 or 8.5

Expected behavior Consistent behaviour regardless of AGP version.

Additional context Here is our configuration if gradle:

global gradle

allprojects {
   configure<org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension> {
        failBuildOnCVSS = 0F // All severity levels
        suppressionFile = "${rootProject.projectDir}/config/dependency-check-suppression.xml"
    }
}

test gradle

configure<org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension> {
    // Skip the lintClassPath configuration, which relies on many dependencies that has been flagged
    // to have CVEs, as it's related to the lint tooling rather than the project's compilation class
    // path. The alternative would be to suppress specific CVEs, however that could potentially
    // result in suppressed CVEs in project compilation class path.
    skipConfigurations = listOf("lintClassPath")
    suppressionFile = "$projectDir/../test-suppression.xml"
}

Here is the suppress file for the app: https://github.com/mullvad/mullvadvpn-app/blob/main/android/config/dependency-check-suppression.xml

Suppression file for tests: https://github.com/mullvad/mullvadvpn-app/blob/main/android/test/test-suppression.xml

I have also tried to move the plugin out of the project file and applying it to each module separately, this did not help.

Pururun avatar Jul 24 '24 07:07 Pururun

I ran into this same problem when I updated my AGP version a month or two ago. I am not really sure what changed in the new version of the AGP but a bunch of configurations were exposed that previously weren't exposed and thus they are getting scanned for vulnerabilities. I don't really think this is really the fault of this plugin.

I looked back through at older versions of the AGP and I can see that the vulnerabilities were still there. There is just something different about how things are being compiled and these configurations are now being exposed and scanned when they were not previously.

I also looked ahead at the latest version of the AGP and some of its dependencies and I can see that the vulnerabilities still exist.

Ultimately, it was tedious but we added all of these new issues to our suppression file. I'd love if the AGP didn't have vulnerable dependencies but there really isn't anything that we could do to fix it other than wait for Google to address it.

Not that this will really help you with your problem or anything - just trying to add more information for discussion.

stephenruda avatar Dec 11 '24 21:12 stephenruda

Another option would be to skip the configurations if they shouldn't be analyzed.

jeremylong avatar Oct 10 '25 21:10 jeremylong