Comments (13)
What are these configurations? I looked into documentation in http://jeremylong.github.io/DependencyCheck/dependency-check-gradle/configuration.html but could not find info about what those configurations mean. Can you somehow configure from which path(s) to scan with them?
I'm trying to use your OWASP Gradle plugin to scan my NodeJS dependencies but it can not find any dependencies and I can't find how to tell to the plugin where to find the dependencies.
from dependency-check-gradle.
dependencyCheck {
allprojects {
configurations.all {
if ((it.name.startsWith('kapt')) && !(it.name in skipConfigurations)) {
skipConfigurations << it.name
}
}
}
}
from dependency-check-gradle.
@roikonen sorry for the extremely delayed response. Dependency-check-gradle uses the gradle dependency management system. There are many built in configurations (test, compile, testRuntime, somethingMadeUpByAnotherPlugin, etc.) each represent a collection of artifacts and their dependencies. The skip configurations allows one to explicitly tell the gradle plugin which set of dependencies to scan.
For Node.js my guess is gradle is not managing the dependencies and they are subsequently being managed by another system (likely npm). Take a look at the node security project or the CLI version of dependency-check when 2.0.0 is released (hopefully this weekend).
Other enhancements are in the works for the gradle (and Maven) plugin so that it can also scan specific directories for dependencies rather then just the dependencies managed by the build tool.
from dependency-check-gradle.
@jeremylong Is there a way to skip the sub projects inside a project using skipConfigurations or something? We are using gradle plugin. Thanks.
from dependency-check-gradle.
@nlassai apply the plugin to the rootProject instead of allprojects
or subprojects
?
from dependency-check-gradle.
@nlassai did you ever find a way to skip the sub projects?
from dependency-check-gradle.
Is this enhancement very far down in the backlog?
Working with the kotlin-kapt
plugin in addition to the Android plugin, the list of configurations to ignore is getting long:
kapt
kaptAndroidTestDebug
kaptRelease
kaptDebug
kaptTestDebug
kaptAndroidTest
kaptTest
kaptTestRelease
The ability to just say "Ignore all configurations starting with kapt
" would be awesome.
from dependency-check-gradle.
For a multiproject scenario, the fix for #99 worked good (have the ability to skip projects). However a fix for this issue will be what developers will use the most in my opinion. Please let @Thorbear and me @jrodguitar know.
from dependency-check-gradle.
@nlassai & @jrodguitar though it is not documented, since 5.0.0 there is scanProjects
and skipProjects
introduced with #99.
from dependency-check-gradle.
@Vampire
Awesome, with some minor edits, that can even add full regex support:
apply plugin: 'org.owasp.dependencycheck'
dependencyCheck {
quickQueryTimestamp = false // when set to false, it means use HTTP GET method to query timestamp. (default value is true)
formats = ['HTML', 'XML']
def skipConfigurationPatterns = [
"_classStructurekapt.*",
"_internal_aapt2_binary",
"androidApis",
"kotlinCompiler.*",
"lintClassPath"
]
allprojects {
configurations.all { configuration ->
if (configuration.name in skipConfigurations) {
return
}
skipConfigurationPatterns.each { pattern ->
if (configuration.name.matches(pattern)) {
skipConfigurations << configuration.name
}
}
}
}
}
from dependency-check-gradle.
Is it necessary to make separate (e.g. scan
and rxScan
) properties? Could you determine an entry in the list is intended to be a regular expression by some convention (e.g. start with ^
)? Arguably, one could use closures or even plain Java streams to select/build the scan/skip lists w/out an enhancement.
from dependency-check-gradle.
The solution to the problem is the above comment: #22 (comment)
from dependency-check-gradle.
The solution to the problem is the above comment
Not really, it is just a work-around.
Anything that involves reaching into other projects models is discouraged bad practice and latest when isolated projects become a reality will probably be problematic.
It would still be nice if you could simply configure a regex that is checked by the plugin in AbstractAnalyze#shouldBe*
at execution time.
from dependency-check-gradle.
Related Issues (20)
- default data directory in v9
- Database Compability Issue when using Spring Boot 3.2.0
- Sources link on GPP doesn't point to a URL HOT 2
- How to configure the NVD API key? HOT 1
- Redacting the HTML Report HOT 1
- Can props from build.gradle.kts be overwritten with -D or -P parameter? HOT 3
- Lots of NVD API request failures HOT 1
- Error when trying to build image with jib. HOT 3
- java.lang.ClassNotFoundException: org.apache.commons.codec.Charsets with 9.0.10 HOT 6
- Build never finishes with AGP 8.3 HOT 1
- Possibly conflicting information regarding gradle subprojects HOT 6
- Gradle Version Used in 9.1.0 HOT 6
- Please check contains "test" for `skipTestGroups`, not starts with HOT 5
- Plugin make project build fail HOT 5
- Add NVD API key as a parameter HOT 1
- Kotlin 2.0 and test groups problem HOT 1
- Malformed JSON report HOT 4
- dependencyCheckAggregate Analysis failed
- Add configurability of NVD API resultsPerPage to the gradle plugin
- Kotlin 2.0 dependencyCheckAggregate is not working
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependency-check-gradle.