-
-
Notifications
You must be signed in to change notification settings - Fork 89
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to use this with Android projects? #206
Comments
any update on this? |
Anyone have an example project that fails? From the above question - I have no clue what is going on. If we have a concrete example I can help. |
I'm might be a bit too late, but you've got instructions here. A working example, if you're using the Gradle Version Catalog, in the root-level
If you're NOT using Gradle Version catalog, the root-level
If having any issue with adding the Gradle plugin, just check the instructions [here](Just check https://plugins.gradle.org/plugin/org.owasp.dependencycheck) |
The following snippet works for Kotlin syntax: plugins {
...
alias(libs.plugins.dependencyCheck)
...
}
...
allprojects {
apply { plugin("org.owasp.dependencycheck") }
dependencyCheck {
scanConfigurations = configurations.filter {
listOf("androidTest", "test", "debug").any { !name.startsWith(it) } and
name.contains("DependenciesMetadata") and
listOf("Api", "Implementation", "RuntimeOnly").any { name.contains(it) }
}.map { name }
}
} |
I’ve got the following already under
allprojects
:But I can’t get it to run on a simple
./gradlew clean build
in the top-level of the project, let alone on a../gradlew clean build
in a subproject (this one has a library and an äpp as modules, and I need to check them both independently, if run so, and as a whole, if building the whole thing).The
scanSet
is from our normal OWASP check plugin configuration for Maven projects (I don’t know Gradle at all, but I’ve built up almost a decade of Maven experience by now, but Android forces me to use Gradle ☹), and theskipConfigurations
is to avoid triggeringscore > 8
build failures for something in IntelliJ (?) on even an empty project.Furthermore, I don’t see the differece between
dependencyCheckAnalyze
[sic!] anddependencyCheckAggregate
explained in an understandable way: from the Tasks documentation I think I need Aggregate in a multi-module project (so, every Android project, because they are always structured as top-level plusapp/
subdirectory), but https://github.com/jeremylong/dependency-check-gradle#what-if-my-project-includes-multiple-sub-project-how-can-i-use-this-plugin-for-each-of-them-including-the-root-project says nothing about it and somewhere else I think I saw Analyse used, not Aggregate… 😕The text was updated successfully, but these errors were encountered: