2.8.2 Avoid failing when OSS Index reports vulnerabilities

What's Changed

• #155 add failOnDetection plugin configuration by @sgilhooly in #158

Using the new property failOnDetection for ossIndexAudit it's now possible to avoid failing the Gradle task when finding vulnerabilities so users with their own tools can further process the output with components and vulnerabilities (for instance using the CycloneDX standard format).

ossIndexAudit {
    failOnDetection = false
}

New Contributors

• @sgilhooly made their first contribution in #158

Full Changelog: 2.8.1...2.8.2

2.8.1 Upgrade to safe version of JGit

What's Changed

• Upgrade to safe version of JGit by @shaikhu in #157

No actions/changes required by anyone already using this plugin.

Full Changelog: 2.8.0...2.8.1

2.8.0 Exclude compileOnly dependencies

What's Changed

• New configuration to exclude compileOnly dependencies by @guillermo-varela in #156

excludeCompileOnly allows this plugin to behave in a similar way as Sonatype CLM for Maven (since compileOnly is an equivalent of the provided scope on Maven):

ossIndexAudit {
  excludeCompileOnly = true
}

nexusIQScan {
  excludeCompileOnly = true
}

Full Changelog: 2.7.0...2.8.0

2.7.0 Allows to set additional scan targets for IQ evaluations

What's Changed

• #139 Allows to set additional scan targets for IQ evaluations by @guillermo-varela in #150

Configure your additional targets as paths or Ant-like patterns for relative paths (to the project's folder) to select the files to be scanned and evaluated using the new scanTargets property.

For example:

nexusIQScan {
    username = 'admin'
    password = 'pass'
    serverUrl = 'http://localhost:8070'
    applicationId = 'app'
    scanTargets = ['package-lock.json', '**/*.lock']
}

Full Changelog: 2.6.2...2.7.0

Introducing Legacy Violations

As part of our inclusive language initiatives stemming from our core values "Embrace Inclusion", we are renaming the feature previously known as Policy Violation Grandfathering to Legacy Violations.

See more at https://help.sonatype.com/iqserver/product-information/release-notes#ReleaseNotes-EmbracingInclusionwithLegacyViolations

Avoid failing due to cache configuration

Fixes #140 so the task will not fail anymore due to cache configuration, only gets a warning message.

Variant Selection With Custom Attributes

What's Changed

A new property variantAttributes was added to set attributes which allow to select the right variant in the case of having multiple release variants.

Full details at: https://github.com/sonatype-nexus-community/scan-gradle-plugin#how-to-deal-with-multiple-release-variants

Full Changelog: 2.5.4...2.5.5

Proper selection of "release" variant in Android projects

What's Changed

The plugin now makes a proper selection of the "release" variant for Android projects when there is a dependency on a module with multiple variants: #132

Full Changelog: 2.5.3...2.5.4

Parent modules for Nexus IQ

Thanks to @mealingr the modules XML file generated for Nexus IQ will include the right ID for the parent module for multi-module projects: #129

Automatic Applications in Nexus IQ Server

Previously, we were creating applications manually in Nexus IQ Server using a given Organization ID via REST calls.

Now the Automatic Applications feature allows to send an Organization ID different to the one configured as "Parent Organization".

This means, customers who want to automatically create applications set in this plugin can enable the Automatic Applications feature in IQ, select any organization as parent while setting any organizationId needed when configuring the nexusIQScan task.