gradle-versions-plugin icon indicating copy to clipboard operation
gradle-versions-plugin copied to clipboard

Published 20 hours ago verified publisher icon ben-manes

Versions of plugins from settings.gradle are not checked

Open koral-- opened this issue 5 years ago • 11 comments

Steps to reproduce:

  • use Gradle 6.x
  • add some plugin with old version to settings.gradle(.kts) for example "com.gradle.enterprise"
  • invoke updateDependencies task
plugins {
    id("com.gradle.enterprise") version "3.1"
}

At the time of writing there is a version 3.1.1.

More info about build scan plugin: https://docs.gradle.com/enterprise/gradle-plugin/#gradle_6_x_and_later

koral-- avatar Dec 30 '19 16:12 koral--

I suppose we would need to use Settings and evaluate both getBuildscript() and getPluginManagement().

ben-manes avatar Dec 30 '19 20:12 ben-manes

Closely related, it also does not check for these in the settings.gradle file:

pluginManagement {
  plugins { ...

nedtwigg avatar Mar 27 '20 00:03 nedtwigg

Yes, see my comment above @nedtwigg. We would need to use both of those methods to capture those dependencies. Since those are not configurations, we'd have to make a detached configuration with the dependencies, repositories, and resolution strategy that those methods provide. Then resolve and print in the report with everything else.

ben-manes avatar Mar 27 '20 00:03 ben-manes

It looks like dependabot is able to do this: https://github.com/jaredsburrows/cs-interview-questions/pull/29.

jaredsburrows avatar May 03 '22 18:05 jaredsburrows

Yes, if I recall correctly they use simple regex parsing of the build files rather than executing it. That has other limitations.

The long-term approach that Github/Gradle are pursuing is outlined in this proposal and github issue. This would be similar to having static analyzers produce SARIF reports that the Github Security dashboard consumes, so it could simply be an action that feeds the current dependency graph into Github for a monitoring dashboard.

ben-manes avatar May 03 '22 18:05 ben-manes

https://github.com/jmfayard/refreshVersions can also handle it, so would be nice to have it here too :-)

Vampire avatar Feb 06 '23 10:02 Vampire

PRs welcome. 😁

ben-manes avatar Feb 06 '23 10:02 ben-manes

As always and everywhere :-D

Vampire avatar Feb 06 '23 11:02 Vampire

Just adding a use case, the Foojay Toolchains Plugin.

ianbrandt avatar Nov 09 '23 17:11 ianbrandt

if someone wants to try this idea and send a pr that would be appreciated.

ben-manes avatar Nov 09 '23 17:11 ben-manes

Btw. imo pluginManagement { plugins { ... } } does not necessarily need to be checked. It's the same as plugins that are defined in a version catalog but not used anywhere. That block just defines versions that are used when a plugin later is applied without version. So if it is applied and thus used, it will already be covered (for project plugins already now, for settings plugins with this issue fixed).

Vampire avatar Nov 09 '23 17:11 Vampire