Giters

dependency-check / dependency-check-gradle

The dependency-check gradle plugin is a Software Composition Analysis (SCA) tool that allows projects to monitor dependent libraries for known, published vulnerabilities.

Home Page:http://jeremylong.github.io/DependencyCheck/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

How to configure dependencyCheckAnalyze differently than dependencyCheckAggregate?

vidgeus opened this issue · comments

commented

Docs seem to suggest that both tasks dependencyCheckAnalyze and dependencyCheckAggregate are configured using dependencyCheck, see Example section: https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/configuration-aggregate.html

But I want to configure them independently, from the root build.gradle file. I have this code:

allprojects {
    apply plugin: 'org.owasp.dependencycheck'
    dependencyCheck {
        autoUpdate=true
        format='ALL'
        suppressionFiles = ['my_file.xml']
    }
}

What it does: when i run the dependencyCheckAnalyze task from the root project then it generates reports in the build folder of each module separately. But I want a single report with vulnerabilities from all modules, so I run dependencyCheckAggregate but it runs forever.

So I changed to code by removing allprojects part:

apply plugin: 'org.owasp.dependencycheck'
dependencyCheck {
    autoUpdate=true
    format='ALL'
    suppressionFiles = ['my_file.xml']
}

Works well for the dependencyCheckAggregate but the task dependencyCheckAnalyze does not exist in sub-modules now, so running that task now only scans the root project, not any of the sub-modules.

What I need: configuration that will make dependencyCheckAggregate behave like in 2nd example and dependencyCheckAnalyze like in 1st example. How can I achieve that by touching only the root build.gradle file?