It's been over a year since the release of the open source Gradle plugin to scan, evaluate, and audit Gradle project dependencies aiming to keep developers safe from any vulnerabilities such libraries could bring: https://github.com/sonatype-nexus-community/scan-gradle-plugin
Following the Open Source mindset we proudly carry at Sonatype, this plugin has grown not only based on internal initiatives (many of them from my colleague
Usman Shaikh) but also from feedback given by users of both our free OSS Index service and the paid platform Nexus Lifecycle.
Some of the improvements have been:
- Better visualization for OSS Index results: from the initial plain text list of dependencies and vulnerabilities now the output supports a tabular-like and colored output to make the results easier to read and understand with an option to also get a tree structure to identify which transitive dependency is bringing vulnerabilities to a project:
Option to view only vulnerable dependencies in OSS Index results: if you prefer focusing in addressing the vulnerabilities ;)
New flag to include dependencies from all configurations: Gradle builds are highly customizable, so now it's possible to include dependencies beyond the default configurations
releaseCompileClasspathfor both OSS Index and Nexus Lifecycle.
Improved support for Android projects: projects with build variants and product flavors are now fully supported.
InnerSource Insight has arrived: Nexus Lifecycle customers can now have a better understanding of vulnerabilities carried over from InnerSource components and transitive dependencies. More details about InnerSource Insight at: https://help.sonatype.com/iqserver/reporting/application-composition-report/innersource-insight
Continuously improved documentation: We do our best to always keep the README.md file out to date with all new features and instructions so users can start using the plugin according to their needs and remediate vulnerabilities quickly!
Hopefully our new friend will motive us and the plugin's users to be in an inquisitive mood, looking for vulnerabilities from Open Source dependencies in all kind of Gradle projects while also finding new ways to keep improving this plugin.
Thanks to all who have used the plugin and help making it better by creating issues with your feedback and requests.
You haven't used it yet? Well, using OSS Index is completely free so go for it!