osv-scanner icon indicating copy to clipboard operation
osv-scanner copied to clipboard

Published 20 hours ago verified publisher icon google

Support gradle's verification-metadata.xml?

Open faern opened this issue 1 year ago • 5 comments
trafficstars

Hi. It looks like osv-scanner only checks for gradle.lockfile and friends, not verification-metadata.xml (Gradle dependency verification), which is the only "lockfile"-like thing we have for gradle.

We currently use another tool for scanning our gradle dependency tree against NVD, and that tool works with the files we have. We would like to migrate to osv-scanner if possible. Is there any reason osv-scanner does not parse this file, or is it simply because it has not been added yet?

We currently use the following tool to scan our gradle dependency tree against NVD: https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/index.html.

Current results:

$ osv-scanner scan --lockfile android/gradle/verification-metadata.xml
could not determine extractor for /home/foobarbaz/android/gradle/verification-metadata.xml

faern avatar Apr 12 '24 13:04 faern

Thanks for the request! we simply have not added support for this yet.

@G-Rath is this something we can put on your plate?

oliverchang avatar Apr 23 '24 02:04 oliverchang

@faern would it be possible for you to provide a couple of examples of this file, for building test fixtures? All good if not, it'd just save me some searching if you can🙂

G-Rath avatar Apr 23 '24 02:04 G-Rath

Here is our own lockfile, I can start by linking that. I'll see if I can find more examples later: https://github.com/mullvad/mullvadvpn-app/blob/main/android/gradle/verification-metadata.xml

faern avatar Apr 23 '24 06:04 faern

This would be a great addition to the tool!

Here's another one used by the official F-Droid Android Client app that also includes signature checks. Also adding a link to the script they use to generate the file: https://gitlab.com/fdroid/fdroidclient/-/blob/master/gradle/verification-metadata.xml https://gitlab.com/fdroid/fdroidclient/-/blob/master/gradle/update-verification-metadata.sh

And here's another used by AndroidX (Google) as well as their documentation about using it to verify their artifacts: https://cs.android.com/androidx/platform/frameworks/support/+/androidx-main:gradle/verification-metadata.xml https://developer.android.com/jetpack/getting-started#verify_dependencies

albin-mullvad avatar Apr 23 '24 06:04 albin-mullvad

Thanks all for the samples! I'll start digging and post back here if I have any questions :)

G-Rath avatar Apr 25 '24 22:04 G-Rath