The latest articles on DEV Community by Guillermo Varela (@guillermovarela). https://dev.to/guillermovarela https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F578870%2Fb034a6ff-f4fe-47b3-87de-9fafd33e874f.jpeg https://dev.to/guillermovarela en Guillermo Varela Fri, 19 Feb 2021 19:16:08 +0000 https://dev.to/guillermovarela/happy-1st-birthday-to-sonatype-gradle-scan-plugin-enter-sherlock-trunks-on3 https://dev.to/guillermovarela/happy-1st-birthday-to-sonatype-gradle-scan-plugin-enter-sherlock-trunks-on3 <p>It's been over a year since the release of the open source Gradle plugin to scan, evaluate, and audit Gradle project dependencies aiming to keep developers safe from any vulnerabilities such libraries could bring: <a href="https://github.com/sonatype-nexus-community/scan-gradle-plugin">https://github.com/sonatype-nexus-community/scan-gradle-plugin</a></p> <p>Following the Open Source mindset we proudly carry at Sonatype, this plugin has grown not only based on internal initiatives (many of them from my colleague <a href="https://github.com/shaikhu"><br> Usman Shaikh</a>) but also from feedback given by users of both our free <a href="https://ossindex.sonatype.org/">OSS Index</a> service and the paid platform <a href="https://www.sonatype.com/nexus/lifecycle">Nexus Lifecycle</a>.</p> <p>Some of the improvements have been:</p> <ul> <li> <strong>Better visualization for OSS Index results</strong>: from the initial plain text list of dependencies and vulnerabilities now the output supports a tabular-like and colored output to make the results easier to read and understand with an option to also get a tree structure to identify which transitive dependency is bringing vulnerabilities to a project: <img src="https://res.cloudinary.com/practicaldev/image/fetch/s--KIT6E0D5--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/8qyqgj172uqzjpeim848.png" alt="tabular list oss index output"> </li> </ul> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--WTkdvMWP--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/mne0d8mkb39nlxqkh3dt.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--WTkdvMWP--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/mne0d8mkb39nlxqkh3dt.png" alt="dependencies tree oss index output"></a></p> <ul> <li><p><strong>Option to view only vulnerable dependencies in OSS Index results</strong>: if you prefer focusing in addressing the vulnerabilities ;)</p></li> <li><p><strong>New flag to include dependencies from all configurations</strong>: Gradle builds are highly customizable, so now it's possible to include dependencies beyond the default configurations <code>compileClasspath</code> and <code>releaseCompileClasspath</code> for both OSS Index and Nexus Lifecycle.</p></li> <li><p><strong>Improved support for Android projects</strong>: projects with build variants and product flavors are now fully supported.</p></li> <li><p><strong>InnerSource Insight has arrived</strong>: Nexus Lifecycle customers can now have a better understanding of vulnerabilities carried over from InnerSource components and transitive dependencies. More details about InnerSource Insight at: <a href="https://help.sonatype.com/iqserver/reporting/application-composition-report/innersource-insight">https://help.sonatype.com/iqserver/reporting/application-composition-report/innersource-insight</a></p></li> <li><p><strong>Continuously improved documentation</strong>: We do our best to always keep the <a href="https://github.com/sonatype-nexus-community/scan-gradle-plugin/blob/master/README.md">README.md</a> file out to date with all new features and instructions so users can start using the plugin according to their needs and remediate vulnerabilities quickly!</p></li> </ul> <p>But possible the news that brought the most joy for us was the arrival of our new mascot: <strong>Sherlock Trunks!!!</strong><br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--i17JAKEy--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/smcgamg1e48w8luwuo9q.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--i17JAKEy--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/smcgamg1e48w8luwuo9q.png" alt="Sherlock Trunks"></a></p> <p>Hopefully our new friend will motive us and the plugin's users to be in an inquisitive mood, looking for vulnerabilities from Open Source dependencies in all kind of Gradle projects while also finding new ways to keep improving this plugin.</p> <p>Thanks to all who have used the plugin and help making it better by creating issues with your feedback and requests.</p> <p>You haven't used it yet? Well, using OSS Index is completely free so go for it!</p> gradle vulnerabilities ossindex dependencies