dependency-check-gradle
dependency-check-gradle copied to clipboard
dependency-check
Show source of vulnerable transitive dependency
Maybe I'm missing it, but with the Gradle plugin can I see what declared dependency led to a detected vulnerability?
For instance, if I add 'org.owasp:dependency-check-maven:7.0.0' and then run dependencyCheckAnalyze, I get a hit on sisu-guava-0.9.9.jar - cpe:2.3:a:google:guava:0.9.9:*:*:*:*:*:*:*.
Presently, to find out where that came from I have to run the dependencies task and search for it.
+--- org.owasp:dependency-check-maven:7.0.0
| +--- org.owasp:dependency-check-core:7.0.0 (*)
| +--- org.owasp:dependency-check-utils:7.0.0 (*)
| +--- org.apache.maven.shared:file-management:3.0.0
| | +--- org.apache.maven:maven-plugin-api:3.0 -> 3.0.5
| | | +--- org.apache.maven:maven-model:3.0.5
| | | | \--- org.codehaus.plexus:plexus-utils:2.0.6 -> 3.4.1
| | | +--- org.apache.maven:maven-artifact:3.0.5
| | | | \--- org.codehaus.plexus:plexus-utils:2.0.6 -> 3.4.1
| | | \--- org.sonatype.sisu:sisu-inject-plexus:2.3.0
| | | +--- org.codehaus.plexus:plexus-component-annotations:1.5.5 -> 2.0.0
| | | +--- org.codehaus.plexus:plexus-classworlds:2.4
| | | +--- org.codehaus.plexus:plexus-utils:2.1 -> 3.4.1
| | | \--- org.sonatype.sisu:sisu-inject-bean:2.3.0
| | | \--- org.sonatype.sisu:sisu-guice:3.1.0
| | | \--- org.sonatype.sisu:sisu-guava:0.9.9
It would be nice to see what led to it being in the project right from the HTML report.
I completely agree - this is something on the list for both the gradle and maven plugin. Best we've done so far is a hackish solution for Maven: https://gist.github.com/jeremylong/ec5d496f64fc5bba6d47b2524a40ce3f
The above gist could be modified to account for the ./gradlew -q dependencies
We are working on resolving this issue - the update will be included with https://github.com/dependency-check/dependency-check-gradle/issues/283