Regex support for scanConfigurations and skipConfigurations about dependency-check-gradle HOT 13 OPEN

What are these configurations? I looked into documentation in http://jeremylong.github.io/DependencyCheck/dependency-check-gradle/configuration.html but could not find info about what those configurations mean. Can you somehow configure from which path(s) to scan with them?

I'm trying to use your OWASP Gradle plugin to scan my NodeJS dependencies but it can not find any dependencies and I can't find how to tell to the plugin where to find the dependencies.

from dependency-check-gradle.

@Thorbear

dependencyCheck {
   allprojects {
      configurations.all {
         if ((it.name.startsWith('kapt')) && !(it.name in skipConfigurations)) {
            skipConfigurations << it.name
         }
      }
   }
}

from dependency-check-gradle.

@roikonen sorry for the extremely delayed response. Dependency-check-gradle uses the gradle dependency management system. There are many built in configurations (test, compile, testRuntime, somethingMadeUpByAnotherPlugin, etc.) each represent a collection of artifacts and their dependencies. The skip configurations allows one to explicitly tell the gradle plugin which set of dependencies to scan.

For Node.js my guess is gradle is not managing the dependencies and they are subsequently being managed by another system (likely npm). Take a look at the node security project or the CLI version of dependency-check when 2.0.0 is released (hopefully this weekend).

Other enhancements are in the works for the gradle (and Maven) plugin so that it can also scan specific directories for dependencies rather then just the dependencies managed by the build tool.

from dependency-check-gradle.

@jeremylong Is there a way to skip the sub projects inside a project using skipConfigurations or something? We are using gradle plugin. Thanks.

from dependency-check-gradle.

@nlassai apply the plugin to the rootProject instead of allprojects or subprojects?

from dependency-check-gradle.

@nlassai did you ever find a way to skip the sub projects?

from dependency-check-gradle.

Is this enhancement very far down in the backlog?
Working with the kotlin-kapt plugin in addition to the Android plugin, the list of configurations to ignore is getting long:

kapt
kaptAndroidTestDebug
kaptRelease
kaptDebug
kaptTestDebug
kaptAndroidTest
kaptTest
kaptTestRelease

The ability to just say "Ignore all configurations starting with kapt" would be awesome.

from dependency-check-gradle.

For a multiproject scenario, the fix for #99 worked good (have the ability to skip projects). However a fix for this issue will be what developers will use the most in my opinion. Please let @Thorbear and me @jrodguitar know.

from dependency-check-gradle.

@nlassai & @jrodguitar though it is not documented, since 5.0.0 there is scanProjects and skipProjects introduced with #99.

from dependency-check-gradle.

@Vampire
Awesome, with some minor edits, that can even add full regex support:

apply plugin: 'org.owasp.dependencycheck'
dependencyCheck {
    quickQueryTimestamp = false    // when set to false, it means use HTTP GET method to query timestamp. (default value is true)
    formats = ['HTML', 'XML']
    def skipConfigurationPatterns = [
            "_classStructurekapt.*",
            "_internal_aapt2_binary",
            "androidApis",
            "kotlinCompiler.*",
            "lintClassPath"
    ]
    allprojects {
        configurations.all { configuration ->
            if (configuration.name in skipConfigurations) {
                return
            }
            skipConfigurationPatterns.each { pattern ->
                if (configuration.name.matches(pattern)) {
                    skipConfigurations << configuration.name
                }
            }
        }
    }
}

from dependency-check-gradle.

Is it necessary to make separate (e.g. scan and rxScan) properties? Could you determine an entry in the list is intended to be a regular expression by some convention (e.g. start with ^)? Arguably, one could use closures or even plain Java streams to select/build the scan/skip lists w/out an enhancement.

from dependency-check-gradle.

The solution to the problem is the above comment: #22 (comment)

from dependency-check-gradle.

The solution to the problem is the above comment

Not really, it is just a work-around.
Anything that involves reaching into other projects models is discouraged bad practice and latest when isolated projects become a reality will probably be problematic.
It would still be nice if you could simply configure a regex that is checked by the plugin in AbstractAnalyze#shouldBe* at execution time.

from dependency-check-gradle.