Giter VIP home page Giter VIP logo

snyk-gradle-plugin's Introduction

Getting started with the Snyk CLI

Introduction to Snyk and the Snyk CLI

Snyk is a developer-first, cloud-native security tool to scan and monitor your software development projects for security vulnerabilities. Snyk scans multiple content types for security issues:

  • Snyk Open Source: Find and automatically fix open-source vulnerabilities
  • Snyk Code: Find and fix vulnerabilities in your application code in real time
  • Snyk Container: Find and fix vulnerabilities in container images and Kubernetes applications
  • Snyk Infrastructure as Code: Find and fix insecure configurations in Terraform and Kubernetes code

Learn more about what Snyk can do and sign up for a free account.

The Snyk CLI brings the functionality of Snyk into your development workflow. You can run the CLI locally from the command line or in an IDE. You can also run the CLI in your CI/CD pipeline. The following shows an example of Snyk CLI test command output.

Snyk CLI test command output example

Snyk CLI test command output

Snyk CLI scanning supports many languages and tools. For detailed information, see the following:

This page explains how to install, authenticate, and start scanning using the CLI. Snyk also has an onboarding wizard to guide you through these steps. For a demonstration, view Starting with Snyk: an overview of the CLI onboarding flow.

Install the Snyk CLI and authenticate your machine

To use the CLI, you must install it and authenticate your machine. See Install or update the Snyk CLI and Authenticate the CLI with your account. You can refer to the release notes for a summary of changes in each release. Before scanning your code, review the Code execution warning for Snyk CLI.

Note: Before you can use the CLI for Open Source scanning, you must install your package manager. The needed third-party tools, such as Gradle or Maven, must be in the PATH.

You can use the CLI in your IDE or CI/CD environment. For details, see Install as part of a Snyk integration.

Test your installation

After authenticating, you can test your installation. For a quick test, run snyk --help.

Alternatively, you can perform a quick test on a public npm package, for example snyk test ionic.

Look at the test command report in your terminal. The report shows the vulnerabilities Snyk found in the package. For each issue found, Snyk reports the severity of the issue, provides a link to a detailed description, reports the path through which the vulnerable module got into your system, and provides guidance on how to fix the problem.

Scan your development Project

Note: Before using the Snyk CLI to test your Open Source Project for vulnerabilities, with limited exceptions, you must build your Project. For details, see Open Source Projects that must be built before testing.

In addition, depending on the language of your open-source Project, you may need to set up your language environment before using the Snyk CLI. For details, refer to Supported languages, frameworks, and feature availability overview.

After you have installed the CLI and authenticated your machine, to scan an open-source Project, use cd /my/project/ to change the current directory toafolder containing a supported package manifest file, such as package.json, pom.xml, or composer.lock. Then run snyk test. All vulnerabilities identified are listed, including their path and fix guidance.

To scan your source code run snyk code test.

You can scan a Docker image by its tag running, for example: snyk container test ubuntu:18.04.

To scan a Kubernetes (K8s) file run the following:
snyk iac test /path/to/kubernetes_file.yaml

For details about using the Snyk CLI to scan each content type, see the following:

Monitor your Open Source or Container Project

Snyk can monitor your Open Source or Container integrated SCM Project periodically and alert you to new vulnerabilities. To set up your Project to be monitored, run snyk monitor or snyk container monitor.

This creates a snapshot of your current dependencies so Snyk can regularly scan your code. Snyk can then alert you about newly disclosed vulnerabilities as they are introduced or when a previously unavailable patch or upgrade path is created. The following code shows an example of the output of the snyk monitor command.

> snyk monitor
Monitoring /project (project-name)...

Explore this snapshot at
https://app.snyk.io/org/my-org/project/29361c2c-9005-4692
-8df4-88f1c040fa7c/history/e1c994b3-de5d-482b-9281-eab4236c851e

Notifications about newly disclosed issues related to these
dependencies will be emailed to you.

You can log in to your Snyk account and navigate to the Projects page to find the latest snapshot and scan results:

Snyk monitor snapshot and scan results

Snyk monitor snapshot and scan results

For more information, see Monitor your Projects at regular intervals.

Running out of tests

Snyk allows unlimited tests for public repositories. If you are on the Free plan, you have a limited number of tests per month. Paid plans have unlimited tests on private and public repositories. If you are on the Free plan and notice that your test count is quickly being used, even with public repositories, you can remedy this by telling Snyk the public url of the repository that is being scanned by the Snyk CLI. This ensures that Snyk does not count a public repository towards the test limits.

If you run out of tests on an open-source Project, follow these steps:

  • Run snyk monitor.
  • Open the Snyk UI and navigate to the settings of the Project.
  • Enter the URL of your open-source repository in Git remote URL.

Additional information about the Snyk CLI

Run snyk help or see the CLI commands and options summary.

See the course Introduction to the Snyk CLI for a quick video training session.

Snyk also provides a cheat sheet (blog post) and a video tutorial.

In particular, see the information about the following options that you may find useful:

  • --severity-threshold=low|medium|high|critical: Report only vulnerabilities of the specified level or higher.
  • --json: Print results in JSON format.
  • --all-projects: Auto-detect all Projects in the working directory.

For detailed information about the CLI, see the CLI docs.

Getting support for the Snyk CLI

Submit a ticket to Snyk support whenever you need help with the Snyk CLI or Snyk in general. Note that Snyk support does not actively monitor GitHub Issues on any Snyk development project.

Security

For any security issues or concerns, see the SECURITY.md file in the GitHub repository.

Snyk CLI is closed to contributions

Effective July 22, 2024, Snyk CLI will no longer accept external contributions.

Due to the CLI's extensive usage and intricate nature, even minor modifications can have unforeseen consequences. Since introducing release channels to our code in April 2024, our focus has been on stabilizing releases. We believe this open-source, closed-contribution model best serves this goal.

In the spirit of transparency to Snyk customers and CLI users, we will continue to working in public. However, going forward, we are closed to contributions.

We appreciate and extend our gratitude to the Snyk community.

snyk-gradle-plugin's People

Contributors

37iulianpopovici avatar adrukh avatar alexandru-dragomir avatar anthogez avatar artursnyk avatar avishagp avatar darscan avatar deebugger avatar dkontorovskyy avatar dotkas avatar ekbsnyk avatar fauxfaux avatar gitphill avatar gjvis avatar jackub avatar jdunsby avatar juanamari94 avatar kyegupov avatar lili2311 avatar maxjeffos avatar michael-go avatar miiila avatar muscar avatar orsagie avatar pavel-github avatar pavel-snyk avatar sfat avatar shesekino avatar snyk-bot avatar wayne-grant avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

gallifabio sfat shanman190 snyk123 pwnslinger artemptushkin gsson eltronn stjordanis gitwk86 larusso ronanbrowne isabella232 adrianfega nathantarbertsnyk damianw

snyk-gradle-plugin's Issues

Feature request: Gradle configuration cache compatibility

Expected behaviour

Any configuration or plugin injected to gradle projects should be configuration cache compatible to ensure the snyk plugin does not become a developer productivity bottleneck.

Actual behaviour

Currently the init script that is injected causes issues with configuration cache enabled projects.

FAILURE: Build failed with an exception.

* Where:
Initialization script '/tmp/tmp-9973-iT3FzCHr8J4G--init.gradle' line: 308

* What went wrong:
Maximum number of configuration cache problems has been reached.
This behavior can be adjusted, see https://docs.gradle.org/7.5.1/userguide/configuration_cache.html#config_cache:usage:max_problems.

69 problems were found storing the configuration cache, 1 of which seems unique.
- Initialization script '/tmp/tmp-9973-iT3FzCHr8J4G--init.gradle': invocation of 'Task.project' at execution time is unsupported.
  See https://docs.gradle.org/7.5.1/userguide/configuration_cache.html#config_cache:requirements:use_project_during_execution

See the complete report at file:///home/**/project/build/reports/configuration-cache/**/configuration-cache-report.html
> Invocation of 'Task.project' by task ':snykResolvedDepsJson' at execution time is unsupported.

Steps to reproduce

add the following to a gradle project's gradle.properties

org.gradle.unsafe.configuration-cache=true
org.gradle.unsafe.configuration-cache-problems=warn
org.gradle.unsafe.configuration-cache.max-problems=5

Invoke the snyk added tasks with the init script added.

DEBUG="foo" ./gradlew --init-script gradle/init.d/snyk.gradle -Pconfiguration=^prodReleaseRuntimeClasspath$ -PonlySubProject=app snykResolvedDepsJson --stacktrace

Workaround for CI builds

add a sed command before invoking the snyk CLI to disable configuration caching.

sed -i"" -e "s/org.gradle.unsafe.configuration-cache=true/org.gradle.unsafe.configuration-cache=false/g" gradle.properties
Thinking out loud

As mentioned in #192 (comment) I think it is likely time the snyk gradle integration is reworked to use a full pre-published gradle plugin. This would allow testing via gradleTestKit and potentially being able to simplify the main snyk cli by relocating the invocation configuration to a gradle DSL checked in by the consumer.

Store gradle & java version meta on every plugin execution

Add more meta on every test run

In order to have better -d output in the CLI for support & to have a general idea of popular version of java & gradle that should be supported it would be good to save this data as meta on the plugin response.

Update the plugin to:

  • run the gradle -v command in the plugin before or after each test run
  • parse the output of it and set it as meta to be returned back with results
  • add a test ito verify parsing is working as expected
  • add tests to assert this meta is being returned by the plugin
  • Snyk team to add the changes in the app UI to render the new meta on the project page

gradle -v

Gradle 4.10.2

Build time:   2018-09-19 18:10:15 UTCRevision:     b4d8d5d170bb4ba516e88d7fe5647e2323d791dd

Kotlin DSL:   1.0-rc-6Kotlin:       1.2.61
Groovy:     2.4.15
Ant:          Apache Ant(TM) version 1.9.11 compiled on March 23 2018
JVM:         10.0.1 ("Oracle Corporation" 10.0.1+10)
OS:           Mac OS X 10.13.2 x86_64

Returned Meta should match:

const pluginMeta = {
  meta: {
    gradle: '4.10.2',
    jvm: '10.0.1',
    os: 'Mac OS X 10.13.2 x86_64',
    groovy: '2.4.15',
  }
}

Please also consider Kotlin, so instead of groovy prop we can expect kotlin?

Prefer using Gradle Wrapper when it is available

Node: v12.16.3
NPM: 6.14.4
Snyk: 1.330.2

When scanning a Gradle project, if a gradlew/gradlew.bat is present it should be given preference over a system installation of Gradle. The gradle wrapper will ensure that the correct version of Gradle for the current project is downloaded if needed and then executed.

SnykMergedDepsConf error when using Shadow plugin v6.0.0

node -v: v14.5.0
npm -v: 6.14.7
snyk -v: 1.366.0
gradle -v: 6.5.1

Command run: snyk test

Expected behaviour

When running with com.github.johnrengelman.shadow plugin version 5.2.0

✓ Tested 335 dependencies for known issues, no vulnerable paths found.

Actual behaviour

When running with com.github.johnrengelman.shadow plugin version 6.0.0

Gradle Error (short):
> Could not resolve all dependencies for configuration ':pleo-phobos-app:snykMergedDepsConf'.
   > Could not resolve project :pleo-phobos-rest.
      > The consumer was configured to find a component compatible with Java 8, packaged as a jar, as well as attribute 'artifactType' with value 'script-files-extensions'. However we cannot choose between the following variants of project :pleo-phobos-rest:

===== DEBUG INFORMATION START =====
gradle command: '/Users/marc/Documents/repositories/phobos/gradlew' snykResolvedDepsJson -q --build-file build.gradle --no-daemon -Dorg.gradle.parallel= -Dorg.gradle.console=plain -PonlySubProject=pleo-phobos-app -I /var/folders/sh/_49nr_710f1fnhkx19rsjxx40000gn/T/tmp-38647-9w5u3qHbdit7--init.gradle

------------------------------------------------------------
Gradle 6.5.1
------------------------------------------------------------

Build time:   2020-06-30 06:32:47 UTC
Revision:     66bc713f7169626a7f0134bf452abde51550ea0a

Kotlin:       1.3.72
Groovy:       2.5.11
Ant:          Apache Ant(TM) version 1.10.7 compiled on September 1 2019
JVM:          11.0.2 (Oracle Corporation 11.0.2+9)
OS:           Mac OS X 10.15.4 x86_64



>>> command: '/Users/marc/Documents/repositories/phobos/gradlew' snykResolvedDepsJson -q --build-file build.gradle --no-daemon -Dorg.gradle.parallel= -Dorg.gradle.console=plain -PonlySubProject=pleo-phobos-app -I /var/folders/sh/_49nr_710f1fnhkx19rsjxx40000gn/T/tmp-38647-9w5u3qHbdit7--init.gradle
>>> exit code: 1
>>> stdout:
SNYKECHO snykResolvedDepsJson task is executing via doLast
JSONATTRS {"org.gradle.usage":["kotlin-api","java-runtime","java-api"],"org.gradle.libraryelements":["jar"],"org.gradle.dependency.bundling":["external","embedded"],"org.gradle.category":["library","documentation"],"org.jetbrains.kotlin.platform.type":["jvm","common"],"org.jetbrains.kotlin.localToProject":["local to :pleo-phobos-app","local to :pleo-phobos-rest"],"artifactType":["script-files-extensions"],"org.gradle.jvm.version":["8"],"org.gradle.docstype":["javadoc","sources"]}
SNYKECHO processing project: pleo-phobos-app
SNYKECHO constructing merged configuration from [-api, -runtime, annotationProcessor, api, apiDependenciesMetadata, apiElements, archives, bootArchives, compile, compileClasspath, compileOnly, compileOnlyDependenciesMetadata, default, developmentOnly, implementation, implementationDependenciesMetadata, jacocoAgent, jacocoAnt, kotlinCompilerClasspath, kotlinCompilerPluginClasspath, kotlinNativeCompilerPluginClasspath, kotlinScriptDef, kotlinScriptDefExtensions, productionRuntimeClasspath, runtime, runtimeClasspath, runtimeElements, runtimeOnly, runtimeOnlyDependenciesMetadata, sourceArtifacts, testAnnotationProcessor, testApi, testApiDependenciesMetadata, testCompile, testCompileClasspath, testCompileOnly, testCompileOnlyDependenciesMetadata, testImplementation, testImplementationDependenciesMetadata, testKotlinScriptDef, testKotlinScriptDefExtensions, testRuntime, testRuntimeClasspath, testRuntimeOnly, testRuntimeOnlyDependenciesMetadata]
SNYKECHO resolving configuration snykMergedDepsConf

>>> stderr:

FAILURE: Build failed with an exception.

* Where:
Initialization script '/var/folders/sh/_49nr_710f1fnhkx19rsjxx40000gn/T/tmp-38647-9w5u3qHbdit7--init.gradle' line: 258

* What went wrong:
Execution failed for task ':snykResolvedDepsJson'.
> Could not resolve all dependencies for configuration ':pleo-phobos-app:snykMergedDepsConf'.
   > Could not resolve project :pleo-phobos-rest.
     Required by:
         project :pleo-phobos-app
      > The consumer was configured to find a component compatible with Java 8, packaged as a jar, as well as attribute 'artifactType' with value 'script-files-extensions'. However we cannot choose between the following variants of project :pleo-phobos-rest:
          - compile
          - default
          - runtime
          - testCompile
          - testRuntime
        All of them match the consumer attributes:
          - Variant 'compile' capability pleo-io.phobos:pleo-phobos-rest:5.2.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its target Java version (required compatibility with Java 8)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides attribute 'org.jetbrains.kotlin.localToProject' with value 'local to :pleo-phobos-rest' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'jvm' but the consumer didn't ask for it
          - Variant 'default' capability pleo-io.phobos:pleo-phobos-rest:5.2.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its target Java version (required compatibility with Java 8)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides attribute 'org.jetbrains.kotlin.localToProject' with value 'local to :pleo-phobos-rest' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'jvm' but the consumer didn't ask for it
          - Variant 'runtime' capability pleo-io.phobos:pleo-phobos-rest:5.2.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its target Java version (required compatibility with Java 8)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides attribute 'org.jetbrains.kotlin.localToProject' with value 'local to :pleo-phobos-rest' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'jvm' but the consumer didn't ask for it
          - Variant 'testCompile' capability pleo-io.phobos:pleo-phobos-rest:5.2.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its target Java version (required compatibility with Java 8)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides attribute 'org.jetbrains.kotlin.localToProject' with value 'local to :pleo-phobos-rest' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'jvm' but the consumer didn't ask for it
          - Variant 'testRuntime' capability pleo-io.phobos:pleo-phobos-rest:5.2.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its target Java version (required compatibility with Java 8)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides attribute 'org.jetbrains.kotlin.localToProject' with value 'local to :pleo-phobos-rest' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'jvm' but the consumer didn't ask for it
        The following variants were also considered but didn't match the requested attributes:
          - Variant 'apiElements' capability pleo-io.phobos:pleo-phobos-rest:5.2.0 declares a component, packaged as a jar:
              - Incompatible because this component declares a component compatible with Java 11 and the consumer needed a component compatible with Java 8
              - Other compatible attribute:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
          - Variant 'runtimeElements' capability pleo-io.phobos:pleo-phobos-rest:5.2.0 declares a component, packaged as a jar:
              - Incompatible because this component declares a component compatible with Java 11 and the consumer needed a component compatible with Java 8
              - Other compatible attribute:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 10s


===== DEBUG INFORMATION END =====

Error running Gradle dependency analysis.

Please ensure you are calling the `snyk` command with correct arguments.
If the problem persists, contact [email protected], providing the full error
message from above, starting with ===== DEBUG INFORMATION START =====.

Steps to reproduce

plugins {
    id "application"
    // ugrade shadow to 6.0.0 will make snyk explode...
    id "com.github.johnrengelman.shadow" version "5.2.0"
}

If applicable, please append the --debug flag on your command and include the output here **ensuring to remove any sensitive/personal details or tokens.

snyk-gradle-plugin 3.22.1 breaks --sub-project in some scenarios

Running snyk test --sub-project=X --configuration-matching='^Y$', if configuration Y exists in subproject X but not other subprojects, errors out with Matching configurations ^Y$ were not found.

I believe this was introduced in 79a8a08. There's a codepath under task snykResolvedDepsJson which invokes findMatchingConfigs on all subprojects even if a --sub-project filter is specified. And if the filter fails to match any configurations in any subproject, the exception is thrown.

An easy way to reproduce this: create a standard Android project with the app subproject, add a pure java subproject to it - which will lack Android-specific configurations - and run

snyk  test --sub-project=app --configuration-matching='^releaseRuntimeClasspath$' --configuration-attributes='buildtype:release,usage:java-runtime'

Gradle 8 compatibility 

1: Task failed with an exception.
-----------
* Where:
Initialization script '/tmp/tmp-2284-TKGuWiIRYoDC--init.gradle' line: 296
* What went wrong:
Execution failed for task ':snykResolvedDepsJson'.
> Could not find method debugLog() for arguments [snykResolvedDepsJson task is executing via doLast] on task
':snykResolvedDepsJson' of type org.gradle.api.DefaultTask.

The integration runs fine with 7.6, but fails with the above using 8-rc-2.

P.S. Using Gradle's logger would be more idiomatic.

Use gradle wrapper from root project when starting snyk cli in a sub project directory

If one executes snyk in a directory of a gradle sub project snyk won't use the gradle wrapper but falls back to the system gradle. Our CI system has no gradle installed and fails in these situations. The only workaround is to call snyk from the project root and set either the subproject name with --sub-project or the path to the build.gradle file with --file.

Expected behaviour

The snyk cli should check for a settings.gradle file in the current directory and if this can't be found walk up the file herachy until it finds one. Every gradle project should have a settings.gradle file and this file declares the project root. If this location has been found, the cli should check for a gradle wrapper in that directory and use it.

Actual behaviour

The snyk cli only checks in the current directory for the gradle wrapper and falls back to plain gradle if it can not be found.

See the code in question which only works when snyk cli is executed at project root.

snyk-gradle-plugin/lib/index.ts

Lines 701 to 720 in 9989b21

function getCommand(root: string, targetFile: string) {
const isWinLocal = /^win/.test(os.platform()); // local check, can be stubbed in tests
const quotLocal = isWinLocal ? '"' : "'";
const wrapperScript = isWinLocal ? 'gradlew.bat' : './gradlew';
// try to find a sibling wrapper script first
let pathToWrapper = path.resolve(
root,
path.dirname(targetFile),
wrapperScript,
);
if (fs.existsSync(pathToWrapper)) {
return quotLocal + pathToWrapper + quotLocal;
}
// now try to find a wrapper in the root
pathToWrapper = path.resolve(root, wrapperScript);
if (fs.existsSync(pathToWrapper)) {
return quotLocal + pathToWrapper + quotLocal;
}
return 'gradle';
}

Kotlin project: Could not resolve dependencies for configuration

We use the kotlin and kotlin MMP plugins. The defined dependencies make heavy usa of the metadata model for dependencies which needs to set the attributes to select the write dependency at the configurations. Kotlin defines multiple values for attributes! This set is not copied to the merged configuration by your init.gradle script.

Context is this ticket: https://support.snyk.io/hc/requests/7457

  • node -v: v12.10.0
  • npm -v: 6.10.3
  • snyk -v: 1.373.0
  • gradle -v: ```

Gradle 6.7

Build time: 2020-10-14 16:13:12 UTC
Revision: 312ba9e0f4f8a02d01854d1ed743b79ed996dfd3

Kotlin: 1.3.72
Groovy: 2.5.12
Ant: Apache Ant(TM) version 1.10.8 compiled on May 10 2020
JVM: 1.8.0_272 (AdoptOpenJDK 25.272-b10)
OS: Mac OS X 10.15.7 x86_64```

  • Command run: snyk test --file=build.gradle.kts --package-manager=gradle --all-sub-projects

Expected behaviour

Select the write dependency as the normal build do!

Actual behaviour

Fails with because of:

* What went wrong:
Execution failed for task ':snykResolvedDepsJson'.
> Could not resolve all dependencies for configuration ':service:snykMergedDepsConf'.
   > Could not resolve net.pearx.kasechange:kasechange:1.3.0.
     Required by:
         project :service
      > The consumer was configured to find a library, packaged as a jar, and its dependencies declared externally, as well as attribute 'artifactType' with value 'script-files-extensions'. However we cannot choose between the following variants of net.pearx.kasechange:kasechange:1.3.0:
          - android-debugApiElements
          - android-debugRuntimeElements
          - android-releaseApiElements
          - android-releaseRuntimeElements
          - androidNativeArm32-api
          - androidNativeArm64-api
          - iosArm32-api
          - iosArm64-api
          - iosX64-api
          - js-api
          - js-runtime
          - jvm-api
          - jvm-runtime
          - linuxArm32Hfp-api
          - linuxArm64-api
          - linuxMips32-api
          - linuxMipsel32-api
          - linuxX64-api
          - macosX64-api
          - metadata-api
          - mingwX64-api
          - mingwX86-api
          - tvosArm64-api
          - tvosX64-api
          - wasm32-api
          - watchosArm32-api
          - watchosArm64-api
          - watchosX86-api
        All of them match the consumer attributes:
          - Variant 'android-debugApiElements' capability net.pearx.kasechange:kasechange:1.3.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Provides attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'debug' but the consumer didn't ask for it
                  - Provides attribute 'com.android.build.api.attributes.VariantAttr' with value 'debug' but the consumer didn't ask for it
                  - Provides attribute 'com.android.build.gradle.internal.dependency.AndroidTypeAttr' with value 'Aar' but the consumer didn't ask for it
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides release status but the consumer didn't ask for it
                  - Provides an API but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm' but the consumer didn't ask for it
          - Variant 'android-debugRuntimeElements' capability net.pearx.kasechange:kasechange:1.3.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Provides attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'debug' but the consumer didn't ask for it
                  - Provides attribute 'com.android.build.api.attributes.VariantAttr' with value 'debug' but the consumer didn't ask for it
                  - Provides attribute 'com.android.build.gradle.internal.dependency.AndroidTypeAttr' with value 'Aar' but the consumer didn't ask for it
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides release status but the consumer didn't ask for it
                  - Provides a runtime but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm' but the consumer didn't ask for it
          - Variant 'android-releaseApiElements' capability net.pearx.kasechange:kasechange:1.3.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Provides attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'release' but the consumer didn't ask for it
                  - Provides attribute 'com.android.build.api.attributes.VariantAttr' with value 'release' but the consumer didn't ask for it
                  - Provides attribute 'com.android.build.gradle.internal.dependency.AndroidTypeAttr' with value 'Aar' but the consumer didn't ask for it
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides release status but the consumer didn't ask for it
                  - Provides an API but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm' but the consumer didn't ask for it
          - Variant 'android-releaseRuntimeElements' capability net.pearx.kasechange:kasechange:1.3.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Provides attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'release' but the consumer didn't ask for it
                  - Provides attribute 'com.android.build.api.attributes.VariantAttr' with value 'release' but the consumer didn't ask for it
                  - Provides attribute 'com.android.build.gradle.internal.dependency.AndroidTypeAttr' with value 'Aar' but the consumer didn't ask for it
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides release status but the consumer didn't ask for it
                  - Provides a runtime but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm' but the consumer didn't ask for it
          - Variant 'androidNativeArm32-api' capability net.pearx.kasechange:kasechange:1.3.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides release status but the consumer didn't ask for it
                  - Provides a usage of 'kotlin-api' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.native.target' with value 'android_arm32' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'native' but the consumer didn't ask for it
          - Variant 'androidNativeArm64-api' capability net.pearx.kasechange:kasechange:1.3.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides release status but the consumer didn't ask for it
                  - Provides a usage of 'kotlin-api' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.native.target' with value 'android_arm64' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'native' but the consumer didn't ask for it
          - Variant 'iosArm32-api' capability net.pearx.kasechange:kasechange:1.3.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides release status but the consumer didn't ask for it
                  - Provides a usage of 'kotlin-api' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.native.target' with value 'ios_arm32' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'native' but the consumer didn't ask for it
          - Variant 'iosArm64-api' capability net.pearx.kasechange:kasechange:1.3.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides release status but the consumer didn't ask for it
                  - Provides a usage of 'kotlin-api' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.native.target' with value 'ios_arm64' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'native' but the consumer didn't ask for it
          - Variant 'iosX64-api' capability net.pearx.kasechange:kasechange:1.3.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides release status but the consumer didn't ask for it
                  - Provides a usage of 'kotlin-api' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.native.target' with value 'ios_x64' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'native' but the consumer didn't ask for it
          - Variant 'js-api' capability net.pearx.kasechange:kasechange:1.3.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides release status but the consumer didn't ask for it
                  - Provides a usage of 'kotlin-api' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'js' but the consumer didn't ask for it
          - Variant 'js-runtime' capability net.pearx.kasechange:kasechange:1.3.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides release status but the consumer didn't ask for it
                  - Provides a usage of 'kotlin-runtime' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'js' but the consumer didn't ask for it
          - Variant 'jvm-api' capability net.pearx.kasechange:kasechange:1.3.0 declares a component, packaged as a jar:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Provides release status but the consumer didn't ask for it
                  - Provides an API but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'jvm' but the consumer didn't ask for it
          - Variant 'jvm-runtime' capability net.pearx.kasechange:kasechange:1.3.0 declares a component, packaged as a jar:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Provides release status but the consumer didn't ask for it
                  - Provides a runtime but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'jvm' but the consumer didn't ask for it
          - Variant 'linuxArm32Hfp-api' capability net.pearx.kasechange:kasechange:1.3.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides release status but the consumer didn't ask for it
                  - Provides a usage of 'kotlin-api' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.native.target' with value 'linux_arm32_hfp' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'native' but the consumer didn't ask for it
          - Variant 'linuxArm64-api' capability net.pearx.kasechange:kasechange:1.3.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides release status but the consumer didn't ask for it
                  - Provides a usage of 'kotlin-api' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.native.target' with value 'linux_arm64' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'native' but the consumer didn't ask for it
          - Variant 'linuxMips32-api' capability net.pearx.kasechange:kasechange:1.3.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides release status but the consumer didn't ask for it
                  - Provides a usage of 'kotlin-api' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.native.target' with value 'linux_mips32' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'native' but the consumer didn't ask for it
          - Variant 'linuxMipsel32-api' capability net.pearx.kasechange:kasechange:1.3.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides release status but the consumer didn't ask for it
                  - Provides a usage of 'kotlin-api' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.native.target' with value 'linux_mipsel32' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'native' but the consumer didn't ask for it
          - Variant 'linuxX64-api' capability net.pearx.kasechange:kasechange:1.3.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides release status but the consumer didn't ask for it
                  - Provides a usage of 'kotlin-api' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.native.target' with value 'linux_x64' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'native' but the consumer didn't ask for it
          - Variant 'macosX64-api' capability net.pearx.kasechange:kasechange:1.3.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides release status but the consumer didn't ask for it
                  - Provides a usage of 'kotlin-api' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.native.target' with value 'macos_x64' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'native' but the consumer didn't ask for it
          - Variant 'metadata-api' capability net.pearx.kasechange:kasechange:1.3.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides release status but the consumer didn't ask for it
                  - Provides a usage of 'kotlin-api' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'common' but the consumer didn't ask for it
          - Variant 'mingwX64-api' capability net.pearx.kasechange:kasechange:1.3.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides release status but the consumer didn't ask for it
                  - Provides a usage of 'kotlin-api' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.native.target' with value 'mingw_x64' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'native' but the consumer didn't ask for it
          - Variant 'mingwX86-api' capability net.pearx.kasechange:kasechange:1.3.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides release status but the consumer didn't ask for it
                  - Provides a usage of 'kotlin-api' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.native.target' with value 'mingw_x86' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'native' but the consumer didn't ask for it
          - Variant 'tvosArm64-api' capability net.pearx.kasechange:kasechange:1.3.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides release status but the consumer didn't ask for it
                  - Provides a usage of 'kotlin-api' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.native.target' with value 'tvos_arm64' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'native' but the consumer didn't ask for it
          - Variant 'tvosX64-api' capability net.pearx.kasechange:kasechange:1.3.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides release status but the consumer didn't ask for it
                  - Provides a usage of 'kotlin-api' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.native.target' with value 'tvos_x64' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'native' but the consumer didn't ask for it
          - Variant 'wasm32-api' capability net.pearx.kasechange:kasechange:1.3.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides release status but the consumer didn't ask for it
                  - Provides a usage of 'kotlin-api' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.native.target' with value 'wasm32' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'native' but the consumer didn't ask for it
          - Variant 'watchosArm32-api' capability net.pearx.kasechange:kasechange:1.3.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides release status but the consumer didn't ask for it
                  - Provides a usage of 'kotlin-api' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.native.target' with value 'watchos_arm32' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'native' but the consumer didn't ask for it
          - Variant 'watchosArm64-api' capability net.pearx.kasechange:kasechange:1.3.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides release status but the consumer didn't ask for it
                  - Provides a usage of 'kotlin-api' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.native.target' with value 'watchos_arm64' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'native' but the consumer didn't ask for it
          - Variant 'watchosX86-api' capability net.pearx.kasechange:kasechange:1.3.0:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Doesn't say anything about its elements (required them packaged as a jar)
                  - Provides release status but the consumer didn't ask for it
                  - Provides a usage of 'kotlin-api' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.native.target' with value 'watchos_x86' but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'native' but the consumer didn't ask for it

Steps to reproduce

Setup a kotlin project. With the dependency net.pearx.kasechange:kasechange:1.3.0. Will brake.

The debug shows the problem:

SNYKECHO snykResolvedDepsJson task is executing via doLast
JSONATTRS {"org.gradle.category":["library"],"org.gradle.dependency.bundling":["external"],"org.gradle.usage":["kotlin-api","java-runtime","java-api"],"org.gradle.libraryelements":["classes","jar"],"org.jetbrains.kotlin.platform.type":["jvm","common","js"],"org.jetbrains.kotlin.localToProject":["public","local to :service"],"org.gradle.jvm.version":["8"],"artifactType":["script-files-extensions"]}

IMPORTEND: "org.jetbrains.kotlin.platform.type":["jvm","common","js"]

and in the gradle error:

 - Variant 'jvm-api' capability net.pearx.kasechange:kasechange:1.3.0 declares a component, packaged as a jar:
              - Unmatched attributes:
                  - Doesn't say anything about artifactType (required 'script-files-extensions')
                  - Doesn't say anything about its component category (required a library)
                  - Doesn't say anything about how its dependencies are found (required its dependencies declared externally)
                  - Provides release status but the consumer didn't ask for it
                  - Provides an API but the consumer didn't ask for it
                  - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'jvm' but the consumer didn't ask for it

IMPORTANT: - Provides attribute 'org.jetbrains.kotlin.platform.type' with value 'jvm' but the consumer didn't ask for it

The problem is inside the init.gradle script at line 245:

// Copy all the unambiguous build attributes into the merged configuration
// Gradle before version 3 does not support attributes
if (snykConf.hasProperty('attributes')) {
   allConfigurationAttributes.each({ attr, valueSet ->
      if (valueSet.size() == 1) {
         snykConf.attributes.attribute(attr, valueSet.head())
      }
   })
}

if replacing this lines with the code beneath all attributes are copied and it works.

// Copy all the unambiguous build attributes into the merged configuration
// Gradle before version 3 does not support attributes
if (snykConf.hasProperty('attributes')) {
   allConfigurationAttributes.each({ attr, valueSet ->
      valueSet.each { attValue ->
         snykConf.attributes.attribute(attr, attValue)
      }
   })
}

Please do not delete unambiguous build attributes

Task 'snykResolvedDepsJson' not found

  • node -v:
    v11.10.0

  • npm -v:
    6.7.0

  • snyk -v:
    1.143.0

  • Command run:

Expected behaviour

(Running on my own project, with snyk v1.130.0)

Tested 212 dependencies for known issues, found 1 issue, 1 vulnerable path.

Actual behaviour

FAILURE: Build failed with an exception.

* What went wrong:
Task 'snykResolvedDepsJson' not found in project ':myproject'.

* Try:
Run gradlew tasks to get a list of available tasks. Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 5s

Steps to reproduce

Upgrade to the latest Snyk version and run snyk test

I suspect this was introduced with https://github.com/snyk/snyk/releases/tag/v1.142.0 , specifically this commit 04cf66d

Docs: Clarify usage of plugin is not to be used as standalone

Add the following section in README.md to clarify that the plugin is not to be used as standalone, but instead the Snyk CLI would need to be used:

ℹ️ This repository is only a plugin to be used with the Snyk CLI tool. To use this plugin to test and fix vulnerabilities in your project, install the Snyk CLI tool first. Head over to snyk.io to get started.

Gradle transitive dependencies affect auto-fixable

  • gradle version: 6.4.1
  • snyk -v: 1.511.0 (standalone)
  • OS: MasOS Catalina
  • Command run: snyk test --fail-on=all

Expected behaviour

The log doesn't contain transitive dependencies inside the Issues to fix by upgrading

Actual behaviour

The log contains transitive dependencies inside the Issues to fix by upgrading

Why is it happening? I had some 1.3.* Snyk CLI version before and it was wine, all the transitives/deep dependencies were inside the different blocks and the command returned 0.

Yes, we're vulnerable by transitive dependencies but we shouldn't update these kinds of dependencies on our side, explicitly declaring child deps, thus these are not autofixable

Example

One transitive is upgradable and another is not.

Gradle file:

dependencies {
    implementation 'org.openapitools:openapi-generator-gradle-plugin:5.0.0'
}
Issues to fix by upgrading:

  Upgrade com.google.guava:[email protected] to com.google.guava:[email protected] to fix
  ✗ Information Disclosure [Medium Severity][https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415] in com.google.guava:[email protected]
    introduced by com.google.guava:[email protected]


Issues with no direct upgrade or patch:
  ✗ Information Exposure [Low Severity][https://snyk.io/vuln/SNYK-JAVA-COMMONSCODEC-561518] in commons-codec:[email protected]
    introduced by org.apache.httpcomponents:[email protected] > commons-codec:[email protected]
  This issue was fixed in versions: 1.13

Where guava and httpclient both are transitive relatively to the current Gradle module, but Snyk considers it as different spicies.

UPD.

Just tried with 1.240.1 -> no transitives in autofixable

This is duplicate of https://github.com/snyk/snyk/issues/1776 sorry I opened it here as really need an explanation here, it affects pipeline creation. I'd like to create a pipeline that wouldn't fail on vulnerabilities in transitives but just inform about it.

Java supported versions in README

I'm working on our docs_needed support tickets and we have a client who's using Java 14 and was unaware that it was unsupported. Can we add that row to our supported version table in the README for this repo?

Gradle, if annotationProcessor is used then only those dependencies are being analysed

  • node -v: 9.11.1
  • npm -v: 5.10.0
  • snyk -v: 1.108.2
  • Command run: snyk test

Expected behaviour

Expecting snyk to ignore annotationProcessor dependencies or add those dependencies to others found in project.

Actual behaviour

Only annotationProcessor dependencies are being analysed (in my case it's only lombok)

Steps to reproduce

Simply execute snyk test in project root directory.

Additional info

In my humble opinion the root cause of issue is in filters (that only first 'configuration' is being used for analysis):

snyk-gradle-plugin/lib/gradle-dep-parser.js

Line 24 in 9d0692e

.reduce(function (acc, element) {

Sample ./gradlew dependencies output:

> Task :dependencies

------------------------------------------------------------
Root project
------------------------------------------------------------

annotationProcessor - Annotation processors and their dependencies for source set 'main'.
\--- org.projectlombok:lombok -> 1.18.2

apiElements - API elements for main. (n)
No dependencies

archives - Configuration for archive artifacts.
No dependencies

bootArchives - Configuration for Spring Boot archive artifacts.
No dependencies

compile - Dependencies for source set 'main' (deprecated, use 'implementation' instead).
No dependencies

compileClasspath - Compile classpath for source set 'main'.
+--- com.github.ben-manes.caffeine:caffeine -> 2.6.2
+--- com.github.kstyrc:embedded-redis -> 0.6
|    +--- com.google.guava:guava:18.0 -> 25.0-jre
|    |    +--- com.google.code.findbugs:jsr305:1.3.9 -> 3.0.2
|    |    +--- org.checkerframework:checker-compat-qual:2.0.0
|    |    +--- com.google.errorprone:error_prone_annotations:2.1.3
|    |    +--- com.google.j2objc:j2objc-annotations:1.1
|    |    \--- org.codehaus.mojo:animal-sniffer-annotations:1.14
|    \--- commons-io:commons-io:2.4 -> 2.6
+--- com.google.code.findbugs:jsr305 -> 3.0.2

--debug output

  snyk test { _: [ [Circular] ], debug: true } +0ms
  snyk no file specified. Trying to autodetect in base folder <path_to_base_project_dir> +0ms
  snyk found package file build.gradle in <path_to_base_project_dir> +1ms
  snyk analytics add local true +0ms
  snyk found package file build.gradle in <path_to_base_project_dir> +3ms
  snyk analytics add policies 1 +19sbuild.gradle
  snyk analytics add packageManager gradle +0ms
  snyk analytics add packageName XXX +0ms
  snyk analytics add packageVersion 0.0.0 +0ms
  snyk analytics add package [email protected] +0ms
  snyk sending request to: https://snyk.io/api/v1/vuln/gradle +0ms
  snyk request body size: 188 +0ms
  snyk gzipped request body size: 135 +0ms
  snyk analytics add payloadSize 188 +4ms
  snyk analytics add gzippedPayloadSize 135 +0ms
  snyk not using proxy +1ms
  snyk analytics add vulns-pre-policy 0 +692ms
  snyk analytics add vulns 0 +4ms

Testing <path_to_base_project_dir>...

Organisation:      XXX
Package manager:   gradle
Target file:       build.gradle
Open source:       no
Project path:      <path_to_base_project_dir>
Licenses:          enabled

✓ Tested 1 dependencies for known issues, no vulnerable paths found.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.
  snyk analytics { args: [ { debug: true, org: undefined, showVulnPaths: true } ],
  command: 'test',
  metadata: 
   { local: true,
     policies: 1,
     packageManager: 'gradle',
     packageName: 'XXX',
     packageVersion: '0.0.0',
     package: '[email protected]',
     payloadSize: 188,
     gzippedPayloadSize: 135,
     'vulns-pre-policy': 0,
     vulns: 0 },
  version: '1.108.2',
  os: 'macOS High Sierra',
  nodeVersion: 'v9.11.1',
  id: '---',
  ci: false,
  durationMs: 19423 } +3ms
  snyk sending request to: https://snyk.io/api/v1/analytics/cli +699ms
  snyk request body size: 433 +0ms
  snyk gzipped request body size: 295 +0ms
  snyk not using proxy +0ms

build.gradle file is read but no dependency is found

  • gradle -v: 4.7

  • node -v: v8.11.3

  • npm -v: 5.6.0

  • snyk -v: 1.89.1

  • Command run:
    snyk test (from project root where build.gradle is)
    and
    snyk test --file=/path/to/build.gradle

Expected behaviour

Organisation: censored
Package manager: gradle
Target file: build.gradle
Open source: no
Project path: /path

✓ Tested X dependencies for known vulnerabilities, {actual analysis results of dependencies}

Actual behaviour (snyk test --debug)

Organisation:    *censored*
Package manager: gradle
Target file:     build.gradle
Open source:     no
Project path:    /path

✓ Tested 0 dependencies for known vulnerabilities, no vulnerable paths found.

 snyk analytics { command: 'test',
  args: [ { debug: true, org: undefined, showVulnPaths: true } ],
  metadata: 
   { local: true,
     policies: 1,
     packageManager: 'gradle',
     packageName: '*censored*',
     packageVersion: '0.0.0',
     package: '*censored*@0.0.0',
     payloadSize: 128,
     gzippedPayloadSize: 116,
     'vulns-pre-policy': 0,
     vulns: 0 },
  version: '1.89.1',
  os: 'macOS Sierra',
  nodeVersion: 'v8.11.3',
  id: 'bbecc862ba8d8ee5feeee1ec631d444a94672aba',
  ci: false,
  durationMs: 2195 } +5ms
  snyk sending request to: https://snyk.io/api/v1/analytics/cli +730ms
  snyk request body size: 440 +0ms
  snyk gzipped request body size: 290 +0ms
  snyk not using proxy +0ms

Steps to reproduce

Simply execute aforementionned commands.

The thing is that our build.gradle file has multiple blocks in which it declares dependencies. One of these blocks is on the first level and is indeed called dependencies {}. We'd assume at least this one would work correctly.

A possibly important detail is that we use the following plugins as well:

  • apply plugin: 'maven'
  • apply plugin: 'maven-publish'

The following block is executed before the dependencies{} block as well:
repositories {
mavenCentral()
maven { url "censoredURL" }
maven { url "censoredURL" }
etc.
}

We were thinking that this maven-gradle setup might be the root cause of Snyk read not finding any dependencies?

Thank you in advance, we can exchange further needed details when needed.

Execution failed for task ':snykResolvedDepsJson'. > java.util.ConcurrentModificationException (no error message)

  • node -v: v18.17.1
  • npm -v: 9.6.7
  • snyk -v: 1.1258.0
  • Command run (run either one, the same result):
./gradlew snykResolvedDepsJson -q \
  --build-file project-x/build.gradle \
  -PonlySubProject=. \
  -I /var/folders/94/9kpdzysj3f53fpxq41f0l9d40000gq/T/tmp-32034-fKjko8xrsZmb--init.gradle \
  --no-configuration-cache
SNYK_TOKEN=XXX snyk test

The 1st command is reported when i run the 2nd command. Rerunning the gradle task (the 1st cmd) results in exactly the same issue.

Expected behaviour

Gradle task snykResolvedDepsJson passes and reports vulnerabilities.

Actual behaviour

I observer this issue when i updated SpringFramework Boot Gradle Plugin from 3.1.5 to 3.1.6 (same issue is when i update it to 3.2.0).

The reported line (in a file on my local /var/folders/94/9kpdzysj3f53fpxq41f0l9d40000gq/T/tmp-32034-fKjko8xrsZmb--init.gradle) is the same line (i judged content, not line nr) as in this repo.

FAILURE: Build failed with an exception.

* Where:
Initialization script '/var/folders/94/9kpdzysj3f53fpxq41f0l9d40000gq/T/tmp-32034-fKjko8xrsZmb--init.gradle' line: 311

* What went wrong:
Execution failed for task ':snykResolvedDepsJson'.
> java.util.ConcurrentModificationException (no error message)

Steps to reproduce

Run the cmd from the top of this description.

I'm also able to reproduce this in this repo (use branch snyk-gradle-concurrency-issue) (The 1st repo i observed this is a work repo).

Debug logs:

SNYK_TOKEN=XXX snyk test --debug
Error: 
Testing /Users/cookieMr/Documents/repos/project-x...

Gradle Error (short):
> java.util.ConcurrentModificationException (no error message)
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.

===== DEBUG INFORMATION START =====

------------------------------------------------------------
Gradle 7.6.3
------------------------------------------------------------

Build time:   2023-10-04 15:59:47 UTC
Revision:     1694251d59e0d4752d547e1fd5b5020b798a7e71

Kotlin:       1.7.10
Groovy:       3.0.13
Ant:          Apache Ant(TM) version 1.10.11 compiled on July 10 2021
JVM:          17.0.9 (Amazon.com Inc. 17.0.9+8-LTS)
OS:           Mac OS X 13.0 aarch64



>>> command: '/Users/cookieMr/Documents/repos/project-x/gradlew' 'snykResolvedDepsJson' '-q' '--build-file' '/Users/cookieMr/Documents/repos/project-x/build.gradle' '-Dorg.gradle.parallel=' '-Dorg.gradle.console=plain' '-PonlySubProject=.' '-I' '/var/folders/94/9kpdzysj3f53fpxq41f0l9d40000gq/T/tmp-57260-XQLF4weZmE96--init.gradle' '--no-configuration-cache'
>>> exit code: 1
>>> stdout:
SNYKECHO Current project: project-x-service
SNYKECHO snykResolvedDepsJson task is executing via doLast

>>> stderr:

FAILURE: Build failed with an exception.

* Where:
Initialization script '/var/folders/94/9kpdzysj3f53fpxq41f0l9d40000gq/T/tmp-57260-XQLF4weZmE96--init.gradle' line: 311

* What went wrong:
Execution failed for task ':snykResolvedDepsJson'.
> java.util.ConcurrentModificationException (no error message)

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 363ms


===== DEBUG INFORMATION END =====

Error running Gradle dependency analysis.

Please ensure you are calling the `snyk` command with correct arguments.
If the problem persists, contact [email protected], providing the full error
message from above, starting with ===== DEBUG INFORMATION START =====.
    at test (/snapshot/project/dist/cli/webpack:/snyk/src/cli/commands/test/index.ts:286:19)
    at runCommand (/snapshot/project/dist/cli/webpack:/snyk/src/cli/main.ts:51:25)
    at main (/snapshot/project/dist/cli/webpack:/snyk/src/cli/main.ts:319:11)
    at /snapshot/project/dist/cli/webpack:/snyk/src/cli/index.ts:13:3
    at Object.callHandlingUnexpectedErrors (/snapshot/project/dist/cli/webpack:/snyk/src/lib/unexpected-error.ts:28:5)

Execution failed for task ':snykResolvedDepsJson'.

  • node -v: v12.16.3
  • npm -v: 6.14.4
  • snyk -v: 1.341.1
  • Command run:
    snyk test

Expected behaviour

Dependencies analyzed

Actual behaviour

Gradle Error (short):
> Could not resolve all dependencies for configuration ':snykMergedDepsConf'.
   > Could not resolve org.slf4j:slf4j-simple:1.8.0-beta4.
      > Module 'org.slf4j:slf4j-simple' has been rejected:
   > Could not resolve org.slf4j:slf4j-simple:1.7.30.
      > Module 'org.slf4j:slf4j-simple' has been rejected:
   > Could not resolve ch.qos.logback:logback-classic:1.2.3.
      > Module 'ch.qos.logback:logback-classic' has been rejected:
   > Could not resolve ch.qos.logback:logback-classic.
      > Module 'ch.qos.logback:logback-classic' has been rejected:

===== DEBUG INFORMATION START =====
gradle command: '/home/candrews/Downloads/demo/gradlew' snykResolvedDepsJson -q --build-file build.gradle --no-daemon -Dorg.gradle.parallel= -Dorg.gradle.console=plain -PonlySubProject=. -I /tmp/tmp-49189-hgINAGkBbrXw--init.gradle

------------------------------------------------------------
Gradle 6.4.1
------------------------------------------------------------

Build time:   2020-05-15 19:43:40 UTC
Revision:     1a04183c502614b5c80e33d603074e0b4a2777c5

Kotlin:       1.3.71
Groovy:       2.5.10
Ant:          Apache Ant(TM) version 1.10.7 compiled on September 1 2019
JVM:          11.0.7 (Oracle Corporation 11.0.7+10)
OS:           Linux 5.6.18-300.fc32.x86_64 amd64



>>> command: '/home/candrews/Downloads/demo/gradlew' snykResolvedDepsJson -q --build-file build.gradle --no-daemon -Dorg.gradle.parallel= -Dorg.gradle.console=plain -PonlySubProject=. -I /tmp/tmp-49189-hgINAGkBbrXw--init.gradle
>>> exit code: 1
>>> stdout:
SNYKECHO snykResolvedDepsJson task is executing via doLast
JSONATTRS {"org.gradle.usage":["java-runtime","java-api"],"org.gradle.category":["library"],"org.gradle.libraryelements":["jar"],"org.gradle.dependency.bundling":["external"]}
SNYKECHO processing project: demo
SNYKECHO constructing merged configuration from [allResolvable, annotationProcessor, apiElements, archives, bootArchives, compile, compileClasspath, compileOnly, default, developmentOnly, implementation, productionRuntimeClasspath, runtime, runtimeClasspath, runtimeElements, runtimeOnly, sonarlint, sonarlintPlugins, spotbugs, spotbugsPlugins, spotbugsSlf4j, testAnnotationProcessor, testCompile, testCompileClasspath, testCompileOnly, testImplementation, testRuntime, testRuntimeClasspath, testRuntimeOnly]
SNYKECHO resolving configuration snykMergedDepsConf

>>> stderr:

FAILURE: Build failed with an exception.

* Where:
Initialization script '/tmp/tmp-49189-hgINAGkBbrXw--init.gradle' line: 260

* What went wrong:
Execution failed for task ':snykResolvedDepsJson'.
> Could not resolve all dependencies for configuration ':snykMergedDepsConf'.
   > Could not resolve org.slf4j:slf4j-simple:1.8.0-beta4.
     Required by:
         project :
      > Module 'org.slf4j:slf4j-simple' has been rejected:
           Cannot select module with conflict on capability 'logging:slf4j-impl-capability:0' also provided by [ch.qos.logback:logback-classic:1.2.3(runtime)]
   > Could not resolve org.slf4j:slf4j-simple:1.7.30.
     Required by:
         project : > org.springframework.boot:spring-boot-starter:2.3.1.RELEASE > org.springframework.boot:spring-boot-dependencies:2.3.1.RELEASE
      > Module 'org.slf4j:slf4j-simple' has been rejected:
           Cannot select module with conflict on capability 'logging:slf4j-impl-capability:0' also provided by [ch.qos.logback:logback-classic:1.2.3(runtime)]
   > Could not resolve ch.qos.logback:logback-classic:1.2.3.
     Required by:
         project : > org.springframework.boot:spring-boot-starter:2.3.1.RELEASE > org.springframework.boot:spring-boot-dependencies:2.3.1.RELEASE
      > Module 'ch.qos.logback:logback-classic' has been rejected:
           Cannot select module with conflict on capability 'logging:slf4j-impl-capability:0' also provided by [org.slf4j:slf4j-simple:1.8.0-beta4(runtime)]
   > Could not resolve ch.qos.logback:logback-classic.
     Required by:
         project : > org.springframework.boot:spring-boot-starter:2.3.1.RELEASE > org.springframework.boot:spring-boot-starter-logging:2.3.1.RELEASE
      > Module 'ch.qos.logback:logback-classic' has been rejected:
           Cannot select module with conflict on capability 'logging:slf4j-impl-capability:0' also provided by [org.slf4j:slf4j-simple:1.8.0-beta4(runtime)]

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 10s


===== DEBUG INFORMATION END =====

Error running Gradle dependency analysis.

Please ensure you are calling the `snyk` command with correct arguments.
If the problem persists, contact [email protected], providing the full error
message from above, starting with ===== DEBUG INFORMATION START =====.

[2]

Steps to reproduce

If applicable, please append the --debug flag on your command and include the output here **ensuring to remove any sensitive/personal details or tokens.

Snyk reports some upgradable non-direct dependencies as non-upgradable

  • gradle version: 6.4.1
  • snyk -v: 1.511.0 (standalone)
  • OS: MasOS Catalina
  • Command run: snyk test

Problem

I noticed that Gradle reports non-direct (transitive) dependencies as fixable #173 but assume it is the policy there is still is an ambiguous behaviour of the tool.

In some cases, it reports transitive dependencies in section Issues to fix by upgrading where there is an upgrade available but at the same time for some transitives it doesn't.

Outcomes

It affects that snyk test --fail-on=all returns 0 (ok) in cases when there are still fixable issues exist. When the documentation of that parameters says:

Only fail when there are vulnerabilities that can be fixed.

It affects the portal shows a dependency as non-fixable when it is "Fixed in"

image

Transitive dependency report

Please find the example here: https://github.com/artemptushkin/snyk-gradle-plugin/tree/issue/transitives/test/fixtures/transitives

Gradle file:

dependencies {
    implementation 'org.mock-server:mockserver-netty:5.11.2'
}

$ snyk test output:

...
Issues to fix by upgrading:
  Upgrade io.netty:[email protected] to io.netty:[email protected] to fix
  ✗ Information Disclosure [Medium Severity][https://snyk.io/vuln/SNYK-JAVA-IONETTY-1082235] in io.netty:[email protected]
    introduced by io.netty:[email protected]
...

Issues with no direct upgrade or patch:
  No upgrade or patch available
  ✗ Arbitrary Code Execution [High Severity][https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEVELOCITY-1083992] in org.apache.velocity:[email protected]
    introduced by org.mock-server:[email protected] > org.apache.velocity:[email protected] and 1 other path(s)
  This issue was fixed in versions: 2.3
...

It reports ambiguous text:

Issues with no direct upgrade or patch... This issue was fixed in versions: 2.3

In other words:

io.netty:netty-handler:
   transitive: true
   fixable: true
   upgradable:
     actual: true
     expected: true
org.apache.velocity:velocity-engine-core:
   transitive: true
   fixable: true
   upgradable:
     actual: false
     expected: true

Transitives dependencies as direct

At the same time, when we declare it explicitly, i.e. is direct these are reported as updatable as expected
Please find the example here: https://github.com/artemptushkin/snyk-gradle-plugin/tree/issue/transitives/test/fixtures/transitive-as-direct

Gradle file:

dependencies {
    implementation 'org.mock-server:mockserver-netty:5.11.2'

    implementation "org.apache.velocity:velocity-engine-core:2.2"
    implementation "io.netty:netty-codec-http:4.1.53.Final"
}

Output:

...
Issues to fix by upgrading:
...
  Upgrade io.netty:[email protected] to io.netty:[email protected] to fix
  ✗ Information Disclosure [Medium Severity][https://snyk.io/vuln/SNYK-JAVA-IONETTY-1070799] in io.netty:[email protected]
    introduced by io.netty:[email protected] and 3 other path(s)
...
  Upgrade org.apache.velocity:[email protected] to org.apache.velocity:[email protected] to fix
  ✗ Arbitrary Code Execution (new) [High Severity][https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEVELOCITY-1083992] in org.apache.velocity:[email protected]
    introduced by org.apache.velocity:[email protected] and 2 other path(s)
....

In my understanding, assuming you include into the report transitive dependencies, i.e. #173 - is not the problem, the report sectionIssues to fix by upgrading should include all the updatable transitive dependencies but it doesn't.

The automated release is failing 🚨

🚨 The automated release from the master branch failed. 🚨

I recommend you give this issue a high priority, so other packages depending on you could benefit from your bug fixes and new features.

You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. I’m sure you can resolve this 💪.

Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.

Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the master branch. You can also manually restart the failed CI job that runs semantic-release.

If you are not sure how to resolve this, here is some links that can help you:

If those don’t help, or if this issue is reporting something you think isn’t right, you can always ask the humans behind semantic-release.

Invalid npm token.

The npm token configured in the NPM_TOKEN environment variable must be a valid token allowing to publish to the registry https://registry.npmjs.org/.

If you are using Two-Factor Authentication, make configure the auth-only level is supported. semantic-release cannot publish with the default auth-and-writes level.

Please make sure to set the NPM_TOKEN environment variable in your CI with the exact value of the npm token.

Good luck with your project ✨

Your semantic-release bot 📦🚀

Parallel flag not supported in Gradle multi multi project builds - Results in poor performance in large projects

  • node -v: v16.15.0
  • npm -v: 8.5.5
  • snyk -v: 1.874.0
  • Command run:
    snyk test --all-projects -- -parallel

Expected behaviour

Gradles parallel flag to be supported and Underlying Gradle Task is executed in a parallel fashion, Most enterprise projects which use Gradle are large multi project builds as such running Snyk-test on them is a time consuming task, For example one large legacy project takes upwards of 20 - 30 minutes to complete a scan.

Supporting the parallel flag would greatly assist here as this allows Gradle to execute the same tasks in submodules in a parallel fashion.

Actual behaviour

Gradle -parallel flag not supported throws a error

Steps to reproduce

Execute the following against any gradle project which is a mult project build

snyk test --all-projects -- -parallel

The following error will be thrown

15:42:11  * Where:
15:42:11  Initialization script '/tmp/tmp-3648-NkSbzlUnvQH8--init.gradle' line: 222
15:42:11  
15:42:11  * What went wrong:
15:42:11  Execution failed for task ':processors:snykResolvedDepsJson'.
15:42:11  > java.util.ConcurrentModificationException (no error message)

If applicable, please append the --debug flag on your command and include the output here **ensuring to remove any sensitive/personal details or tokens.

Please use complete sub project path instead of name to check for onlyProj

snyk-gradle-plugin/lib/init.gradle

Line 248 in 9989b21

it.name == onlyProj

Gradle multiproject setup can be nested.
One can setup the following structure:

settings.gradle
build.gradle
sub1/foo/build.gradle
sub2/foo/build.gradle

The settings.gradle could look like this:

rootProjectName="myProject"
include ':sub1:foo'
include ':sub2:foo'

So here we have four subprojects!

  • :sub1
  • :sub1:foo
  • :sub2
  • :sub2:foo

When declaring the --sub-project one has to pass the sub project name without the path (eg --sub-project=foo). It would be cleaner and actually more correct to use the full project path --sub-project=:sub1:foo.
Gradle exposes this in the Project class.

Projects are arranged into a hierarchy of projects. A project has a name, and a fully qualified path which uniquely identifies it in the hierarchy.

see: https://docs.gradle.org/current/javadoc/org/gradle/api/Project.html#getPath--

multi-module projects fail when using configuration-matching

Problem

Using this command
snyk -d --all-sub-projects --configuration-matching=^runtimeClasspath$ test

For example in a multi project like this where the bom module produces only a java-platform.

build.gradle               OK
some-code/build.gradle     OK
...                        OK
bom/build.gradle           <- Fails because there is no runtimeClasspath in this project

Problem 2

Adding the --exclude option for the folder does not help. Same error is evaluated before it seems.

Question

Can the option configuration-matching ignore projects that doesn't match?
That's my expectation from the name matching, acting as a filter, but maybe there are other factors at play.

Code that throws the error:

snyk-gradle-plugin/lib/init.gradle

Lines 272 to 276 in 9989b21

if (resolvedConfigs.isEmpty() && !proj.configurations.isEmpty()) {
throw new RuntimeException('Matching configurations not found: ' + confNameFilter +
', available configurations for project ' + proj + ': '
+ proj.configurations.collect { it.name })
}

wrong behavior when include checkstyle plugin

  • node -v: v9.7.1
  • npm -v: 5.6.0
  • snyk -v: 1.104.1
  • gradle -v: 4.8
  • build.gradle
apply plugin: 'java'
apply plugin: 'checkstyle'

ext {
    checkstyleVersion = '8.10.1'
    jacksonVersion = '2.9.7'
    springsecuritysamlVersion = '1.0.3.RELEASE'
}

group 'com.test'
version '0.8.6'

sourceCompatibility = 1.8

repositories {
    mavenCentral()
}

dependencies {
    implementation group: 'com.fasterxml.jackson.core', name: 'jackson-annotations', version: jacksonVersion
    implementation group: 'org.springframework.security.extensions', name: 'spring-security-saml2-core', version: springsecuritysamlVersion
}
  • Command run: snyk test

Expected behaviour

Organisation:      <>
Package manager:   gradle
Target file:       build.gradle
Open source:       no
Project path:      <>

Tested 33 dependencies for known vulnerabilities, found 26 vulnerabilities, 96 vulnerable paths.

Actual behaviour

✗ Medium severity vulnerability found in com.google.guava:guava
  Description: Deserialization of Untrusted Data
  Info: https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-32236
  Introduced through: com.puppycrawl.tools:[email protected]
  From: com.puppycrawl.tools:[email protected] > com.google.guava:[email protected]

Organisation:      <>
Package manager:   gradle
Target file:       build.gradle
Open source:       no
Project path:      <>

Tested 7 dependencies for known vulnerabilities, found 1 vulnerability, 1 vulnerable path.

After remove apply plugin: 'checkstyle', the snyk test gives expects results.
It seems that checkstyle plugin causes snyk to behave wrongly and run test on the checkstyle dependencies instead.

If applicable, please append the --debug flag on your command and include the output here **ensuring to remove any sensitive/personal details or tokens.

Extract gradle project & sub-project names on every test

Expected behaviour

After doing a little digging realised we are not grabbing the actual project names when returning back results, here is the PR with some tests that shows the desired outcome https://github.com/snyk/snyk-gradle-plugin/tree/feat/get-correct-project-names

Users can scan a project with:

  • snyk test --all-sub-projects
  • snyk test --file=path/to/build.sbt
  • snyk test --gradle-sub-project=path/to/build.sbt

So we need to be mindful of what is the context and grab the relevant project name that we just scanned.

There are two potentials:

  • extract the project name in the already used init.gradle, there is most likely a way to get that there and return it back for processing in the TypeScript lib wrapper / child process wrapper
    To get the correct project names for testing purposes you can run gradle projects which will list the root project and any sub-projects from that directory

  • if that is not possible we can use gradle to get the names in the relevant context 🐌 this may be too slow, as we already execute gradle when getting the deps, so this would be a second call.

Actual behaviour

The tests in this branch fail https://github.com/snyk/snyk-gradle-plugin/tree/feat/get-correct-project-names

Steps to reproduce

Run the tests on the branch above

If applicable, please append the --debug flag on your command and include the output here **ensuring to remove any sensitive/personal details or tokens.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.