Dependency-Check-Gradle
Working in progress
This is a DependencyCheck gradle plugin designed for project which use Gradle as build script.
Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
=========
Usage
Step 1, Apply dependency check gradle plugin
Please refer to either one of the solution
Solution 1,Install from Maven Central
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath 'com.thoughtworks.tools:dependency-check:0.0.5'
}
}
apply plugin: 'dependency.check'
Solution 2,Install from Gradle Plugin Portal
dependency check gradle plugin on Gradle Plugin Portal
Build script snippet for new, incubating, plugin mechanism introduced in Gradle 2.1:
plugins {
id "dependency.check" version "0.0.5"
}
Build script snippet for use in all Gradle versions:
buildscript {
repositories {
maven {
url "https://plugins.gradle.org/m2/"
}
}
dependencies {
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.5"
}
}
apply plugin: "dependency.check"
Solution 3,Install from Bintray
apply plugin: "dependency-check"
buildscript {
repositories {
maven {
url 'http://dl.bintray.com/wei/maven'
}
mavenCentral()
}
dependencies {
classpath(
'com.tools.security:dependency-check:0.0.5'
)
}
}
Step 2, Run gradle task
Once gradle plugin applied, run following gradle task to check the dependencies:
gradle dependencyCheck
The reports will be generated automatically under ./reports folder.
If your project includes multiple sub-projects, the report will be generated for each sub-project in different sub-directory.
FAQ
Questions List:
- What if I'm behind a proxy?
- What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?
- How to customize the report directory?
What if I'm behind a proxy?
Maybe you have to use proxy to access internet, in this case, you could configure proxy settings for this plugin:
dependencyCheck {
proxyServer = "127.0.0.1" // required, the server name or IP address of the proxy
proxyPort = 3128 // required, the port number of the proxy
// optional, the proxy server might require username
// proxyUsername = "username"
// optional, the proxy server might require password
// proxyPassword = "password"
}
What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?
Try put 'apply plugin: "dependency-check"' inside the 'allprojects' or 'subprojects' if you'd like to check all sub-projects only, see below:
(1) For all projects including root project:
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.5"
}
}
allprojects {
apply plugin: "dependency-check"
}
(2) For all sub-projects:
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.5"
}
}
subprojects {
apply plugin: "dependency-check"
}
In this way, the dependency check will be executed for all projects (including root project) or just sub projects.
How to customize the report directory?
By default, all reports will be placed under ./reports folder, to change the default directory, just modify it in the configuration section like this:
subprojects {
apply plugin: "dependency-check"
dependencyCheck {
outputDirectory = "./customized-path/security-report"
}
}