gradle-witness icon indicating copy to clipboard operation
gradle-witness copied to clipboard

Published 20 hours ago verified publisher icon signalapp

Metadata

A gradle plugin that enables static verification for remote dependencies.

Results 24 gradle-witness issues
Sort by recently updated
recently updated
newest added

No dependency for integrity assertion found: com.android.databinding:library

7 comment

With databinding enabled in Android project build.gradle, gradle-witness data binding enabled via: ``` dataBinding { enabled = true } ``` output is: ``` FAILURE: Build failed with an exception. *...

GeoffreyMetais avatar GeoffreyMetais

Sort calculated checksum

When I add new dependency to my project and run `calculateChecksums` Then git diff should show me minimal differences. This can be achieved if dependencies are sorted by groupId and...

blabno avatar blabno

extend to gradle plugins

5 comment

Since the whole gradle build process for Android relies on downloading plugins from jcenter, we really need a way to do what gradle-witness does, but for those plugins. @dschuermann already...

eighthave avatar eighthave

Replace deprecated leftShift(Closure) method

1 comment

Issue: The Task.leftShift(Closure) method has been deprecated and is scheduled to be removed in Gradle 5.0. Fix: Use Task.doLast(Action) instead. Resolves: https://github.com/signalapp/gradle-witness/issues/22

devinbileck avatar devinbileck

Transient dependencies are not verified.

Correct me if I'm wrong, but I don't think the pom/transient dependencies are verified. A malicious repo could edit a pom, add a new transient dependency without triggering a verification...

ghost avatar ghost

Removed deprecated LeftShift to support gradle 5

Hello moxie0, I have removed the deprecated LeftShift in calculateChecksums task to make gradle-witness compatible with gradle >= 5. It's just a syntactical change and shouldn't have any side effects....

seism0saurus avatar seism0saurus

Remove deprecated usage of <<.

greyson-signal avatar greyson-signal

Gradle 5 has deprecated << syntax in favor of doLast blocks

I'm happy to submit a pull request for this issue asap.

ayemiller avatar ayemiller

Witness incorrectly resolves dependency when older version is specified

Witness currently resolves the dependency file with the following [code](https://github.com/signalapp/gradle-witness/blob/10f1269c0aafdc1d478efc005ed48f3a47d44278/src/main/groovy/org/whispersystems/witness/WitnessPlugin.groovy#L34): ``` ResolvedArtifact dependency = project.configurations.compile.resolvedConfiguration.resolvedArtifacts.find{ return it.name.equals(name) && it.moduleVersion.id.group.equals(group) } ``` Because this only checks the group and name, and...

duggulous avatar duggulous

Support gradle's "Implementation"

Gradle-witness only supports libraries added with "compile", but not "implementation". ```` WARNING: Configuration 'compile' is obsolete and has been replaced with 'implementation'. It will be removed at the end of...

mueller-ma avatar mueller-ma

Metadata

229
Stars
67
Forks
Watchers

Owner

verified publisher icon signalapp

Metadata

A gradle plugin that enables static verification for remote dependencies.

Back