dependency-check-gradle

dependency-check-gradle copied to clipboard

I’ve got the following already under allprojects:

apply plugin: 'org.owasp.dependencycheck'
dependencyCheck {
    failBuildOnCVSS = 8
    scanSet = [project.layout.projectDirectory.dir("src").asFile]
    skipConfigurations += 'lintClassPath'
}
// doesn’t work: tasks.findByName("check")?.dependsOn(dependencyCheckAnalyze)

But I can’t get it to run on a simple ./gradlew clean build in the top-level of the project, let alone on a ../gradlew clean build in a subproject (this one has a library and an äpp as modules, and I need to check them both independently, if run so, and as a whole, if building the whole thing).

The scanSet is from our normal OWASP check plugin configuration for Maven projects (I don’t know Gradle at all, but I’ve built up almost a decade of Maven experience by now, but Android forces me to use Gradle ☹), and the skipConfigurations is to avoid triggering score > 8 build failures for something in IntelliJ (?) on even an empty project.

Furthermore, I don’t see the differece between dependencyCheckAnalyze[sic!] and dependencyCheckAggregate explained in an understandable way: from the Tasks documentation I think I need Aggregate in a multi-module project (so, every Android project, because they are always structured as top-level plus app/ subdirectory), but https://github.com/jeremylong/dependency-check-gradle#what-if-my-project-includes-multiple-sub-project-how-can-i-use-this-plugin-for-each-of-them-including-the-root-project says nothing about it and somewhere else I think I saw Analyse used, not Aggregate… 😕

any update on this?

Anyone have an example project that fails? From the above question - I have no clue what is going on. If we have a concrete example I can help.

I’ve got the following already under allprojects:

apply plugin: 'org.owasp.dependencycheck'
dependencyCheck {
    failBuildOnCVSS = 8
    scanSet = [project.layout.projectDirectory.dir("src").asFile]
    skipConfigurations += 'lintClassPath'
}
// doesn’t work: tasks.findByName("check")?.dependsOn(dependencyCheckAnalyze)

But I can’t get it to run on a simple ./gradlew clean build in the top-level of the project, let alone on a ../gradlew clean build in a subproject (this one has a library and an äpp as modules, and I need to check them both independently, if run so, and as a whole, if building the whole thing).

The scanSet is from our normal OWASP check plugin configuration for Maven projects (I don’t know Gradle at all, but I’ve built up almost a decade of Maven experience by now, but Android forces me to use Gradle ☹), and the skipConfigurations is to avoid triggering score > 8 build failures for something in IntelliJ (?) on even an empty project.

Furthermore, I don’t see the differece between dependencyCheckAnalyze[sic!] and dependencyCheckAggregate explained in an understandable way: from the Tasks documentation I think I need Aggregate in a multi-module project (so, every Android project, because they are always structured as top-level plus app/ subdirectory), but jeremylong/dependency-check-gradle#what-if-my-project-includes-multiple-sub-project-how-can-i-use-this-plugin-for-each-of-them-including-the-root-project says nothing about it and somewhere else I think I saw Analyse used, not Aggregate… 😕

I'm might be a bit too late, but you've got instructions here.

A working example, if you're using the Gradle Version Catalog, in the root-level build.gradle:

plugins {
	...
    alias(libs.plugins.dependencyCheck)
	...
}
...
allprojects {
    apply plugin: 'org.owasp.dependencycheck'
    dependencyCheck {
        outputDirectory = './build/reports'
        scanConfigurations = configurations.findAll {
            !it.name.startsWithAny('androidTest', 'test', 'debug') &&
                    it.name.contains("DependenciesMetadata") && (
                    it.name.startsWithAny("api", "implementation", "runtimeOnly") ||
                            it.name.contains("Api") ||
                            it.name.contains("Implementation") ||
                            it.name.contains("RuntimeOnly")
            )
        }.collect {
            it.name
        }
        failBuildOnCVSS = 8
        nvd {
            apiKey = API_KEY
        }
    }

If you're NOT using Gradle Version catalog, the root-level build.gradle should look like:

plugins {
	...
    id("org.owasp.dependencycheck") version "9.0.8"
	...
}
...
allprojects {
    apply plugin: 'org.owasp.dependencycheck'
    dependencyCheck {
        outputDirectory = './build/reports'
        scanConfigurations = configurations.findAll {
            !it.name.startsWithAny('androidTest', 'test', 'debug') &&
                    it.name.contains("DependenciesMetadata") && (
                    it.name.startsWithAny("api", "implementation", "runtimeOnly") ||
                            it.name.contains("Api") ||
                            it.name.contains("Implementation") ||
                            it.name.contains("RuntimeOnly")
            )
        }.collect {
            it.name
        }
        failBuildOnCVSS = 8
        nvd {
            apiKey = API_KEY
        }
    }

If having any issue with adding the Gradle plugin, just check the instructions [here](Just check https://plugins.gradle.org/plugin/org.owasp.dependencycheck)

The following snippet works for Kotlin syntax:

plugins {
	...
    alias(libs.plugins.dependencyCheck)
	...
}
...
allprojects {
    apply { plugin("org.owasp.dependencycheck") }
    dependencyCheck {
        scanConfigurations = configurations.filter {
            listOf("androidTest", "test", "debug").any { !name.startsWith(it) } and
            name.contains("DependenciesMetadata") and
            listOf("Api", "Implementation", "RuntimeOnly").any { name.contains(it) }
        }.map { name }
    }
}