dependency-check-gradle
dependency-check-gradle copied to clipboard
Add @Option to Gradle tasks to enable command-line configuration
For instance:
./gradlew dependencyCheckAggregate --failBuildOnCVSS 8
I know failBuildOnCVSS
could be specified in build.*
files, however, it would be convenient if the tasks supported command-line options ( see https://docs.gradle.org/current/userguide/custom_tasks.html#sec:declaring_and_using_command_line_options )
This looks like it would require a LOT of refactoring of the plugin as the @Option
attribute does not work with extensions. As recommended by the gradle documentation all of the configuration within the plugin is done using extensions.
What if keep extensions as is, but add extra @Option
to the task itself?
I guess adjusting failBuildOnCVSS
on the fly (e.g. for exploratory purposes) is quite a common use case.
Being able to configure the plugin from the command line is needed for various CI/CD purposes such as:
- configure properties specific to the build server
- configure properties needed for CI/CD pipeline
Requiring each repo using this plugin to configure the properties in the build.gradle
is unmanageable and possibly not allowed (e.g., passwords).
Would using an init-script, such as described in odc/issues#4044, work?
I think an init script could be used to override/configure the plugin.
Here is a simple example to override the report formats.
init.gradle
rootProject {
afterEvaluate { project ->
project.dependencyCheck.formats = ['JSON']
}
}
SonarQube's plugin configuration behavior is what we're used to. It is very handy to set properties from the command line using our CI/CD tool.