DependencyCheck/dependency-check-ant/README.md

Dependency-Check-Gradle
=========

**Working in progress**

This is a DependencyCheck gradle plugin designed for project which use Gradle as build script.

Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.

=========

## What's New
Current latest version is `0.0.8`

## Usage

### Step 1, Apply dependency check gradle plugin

Install from Maven central repo

```groovy
buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'org.owasp:dependency-check-gradle:1.3.2'
    }
}

apply plugin: 'dependency-check-gradle'
```

### Step 2, Run gradle task

Once gradle plugin applied, run following gradle task to check dependencies:

```
gradle dependencyCheck --info
```

The reports will be generated automatically under `./reports` folder.

If your project includes multiple sub-projects, the report will be generated for each sub-project in different sub-directory.

## FAQ

> **Questions List:**
> - What if I'm behind a proxy?
> - What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?
> - How to customize the report directory?

### What if I'm behind a proxy?

Maybe you have to use proxy to access internet, in this case, you could configure proxy settings for this plugin:

```groovy
dependencyCheck {
    proxy {
        server = "127.0.0.1"      // required, the server name or IP address of the proxy
        port = 3128               // required, the port number of the proxy

        // optional, the proxy server might require username
        // username = "username"

        // optional, the proxy server might require password
        // password = "password"
    }
}
```

In addition, if the proxy only allow HTTP `GET` or `POST` methods, you will find that the update process will always fail,
 the root cause is that every time you run `dependencyCheck` task, it will try to query the latest timestamp to determine whether need to perform an update action,
 and for performance reason the HTTP method it uses by default is `HEAD`, which probably is disabled or not supported by the proxy. To avoid this problem, you can simply change the HTTP method by below configuration:

```groovy
dependencyCheck {
    quickQueryTimestamp = false    // when set to false, it means use HTTP GET method to query timestamp. (default value is true)
}
```

### What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?

Try put 'apply plugin: "dependency-check"' inside the 'allprojects' or 'subprojects' if you'd like to check all sub-projects only, see below:

(1) For all projects including root project:

```groovy
buildscript {
  repositories {
    mavenCentral()
  }
  dependencies {
    classpath "gradle.plugin.com.tools.security:dependency-check:0.0.8"
  }
}

allprojects {
    apply plugin: "dependency-check"
}
```

(2) For all sub-projects:

```groovy
buildscript {
  repositories {
    mavenCentral()
  }
  dependencies {
    classpath "gradle.plugin.com.tools.security:dependency-check:0.0.8"
  }
}

subprojects {
    apply plugin: "dependency-check"
}
```

In this way, the dependency check will be executed for all projects (including root project) or just sub projects.

### How to customize the report directory?

By default, all reports will be placed under `./reports` folder, to change the default directory, just modify it in the configuration section like this:

```groovy
subprojects {
    apply plugin: "dependency-check"

    dependencyCheck {
        outputDirectory = "./customized-path/security-report"
    }
}
```