在线时间:8:00-16:00
迪恩网络APP
随时随地掌握行业动态
扫描二维码
关注迪恩网络微信公众号
开源软件名称(OpenSource Name):sonatype-nexus-community/scan-gradle-plugin开源软件地址(OpenSource Url):https://github.com/sonatype-nexus-community/scan-gradle-plugin开源编程语言(OpenSource Language):Java 100.0%开源软件介绍(OpenSource Introduction):Sonatype Scan Gradle Plugin - AKA Sherlock TrunksGradle plugin that scans the dependencies of a Gradle project using Sonatype platforms: OSS Index and Nexus IQ Server. Compile and Publish to Local Maven Cache
If you want to save some time, skip integration tests:
Run Integration Tests
CompatibilityThe plugin can be used on projects with Gradle 3.3 or higher (local installation or wrapper) and Java 8 installed locally. Supported Programming LanguagesGradle can be used to build projects developed in various programming languages. This plugin supports:
How to Use
Some basic examples will be provided next, which we strongly advice to read :) After doing so, specific usage on CI tools can be found at https://github.com/guillermo-varela/example-scan-gradle-plugin OSS IndexOSS Index can be used without any extra configuration, but to avoid reaching the limit for anonymous queries every user is encouraged to create a free account on OSS Index and use the credentials on this plugin. Cache can also be configured optionally. If you are using Groovy (build.gradle file): ossIndexAudit {
username = 'email' // if not provided, an anonymous query will be made
password = 'pass'
allConfigurations = false // if true includes the dependencies in all resolvable configurations. By default is false, meaning only 'compileClasspath', 'runtimeClasspath', 'releaseCompileClasspath' and 'releaseRuntimeClasspath' are considered
useCache = true // true by default
cacheDirectory = 'some/path' // by default it uses the user data directory (according to OS)
cacheExpiration = 'PT12H' // 12 hours if omitted. It must follow the Joda Time specification at https://www.javadoc.io/doc/joda-time/joda-time/2.10.4/org/joda/time/Duration.html#parse-java.lang.String-
colorEnabled = false // if true prints vulnerability description in color. By default is true.
dependencyGraph = false // if true prints dependency graph showing direct/transitive dependencies. By default is false.
proxyConfiguration { // extra configuration when running behind a proxy without direct internet access
protocol = 'http' // can be 'http' (default) or 'https'
host = 'proxy-host' // hostname for the proxy
port = 8080 // port for the proxy
authConfiguration.username = 'username' // username for the proxy (if credentials are required)
authConfiguration.password = 'password' // password for the proxy (if credentials are required)
}
showAll = false // if true prints all dependencies. By default is false, meaning only dependencies with vulnerabilities will be printed.
printBanner = true // if true will print ASCII text banner. By default is true.
modulesIncluded = ['module-1', 'module-2'] // Optional. For multi-module projects, the names of the sub-modules to include for auditing. If not specified all modules are included.
modulesExcluded = ['module-1', 'module-2'] // Optional. For multi-module projects, the names of the sub-modules to exclude from auditing. If not specified no modules are excluded. This value is processed after 'modulesIncluded' if both are specified.
// ossIndexAudit can be configured to exclude vulnerabilities from matching
excludeVulnerabilityIds = ['39d74cc8-457a-4e57-89ef-a258420138c5'] // list containing ids of vulnerabilities to be ignored
excludeCoordinates = ['commons-fileupload:commons-fileupload:1.3'] // list containing coordinate of components which if vulnerable should be ignored
} Or if you are using Kotlin (build.gradle.kts file): ossIndexAudit {
username = "email" // if not provided, an anonymous query will be made
password = "pass"
isAllConfigurations =
false // if true includes the dependencies in all resolvable configurations. By default is false, meaning only "compileClasspath", "runtimeClasspath", "releaseCompileClasspath" and "releaseRuntimeClasspath" are considered
isUseCache = true // true by default
cacheDirectory = "some/path" // by default it uses the user data directory (according to OS)
cacheExpiration =
"PT12H" // 12 hours if omitted. It must follow the Joda Time specification at https://www.javadoc.io/doc/joda-time/joda-time/2.10.4/org/joda/time/Duration.html#parse-java.lang.String-
isColorEnabled = false // if true prints vulnerability description in color. By default is true.
isDependencyGraph =
false // if true prints dependency graph showing direct/transitive dependencies. By default is false.
proxyConfiguration { // extra configuration when running behind a proxy without direct internet access
protocol = "http" // can be "http" (default) or "https"
host = "proxy-host" // hostname for the proxy
port = 8080 // port for the proxy
authConfiguration.username = "username" // username for the proxy (if credentials are required)
authConfiguration.password = "password" // password for the proxy (if credentials are required)
}
isShowAll =
false // if true prints all dependencies. By default is false, meaning only dependencies with vulnerabilities will be printed.
isPrintBanner = true // if true will print ASCII text banner. By default is true.
modulesIncluded = listOf("module-1", "module-2") // Optional. For multi-module projects, the names of the sub-modules to include for auditing. If not specified all modules are included.
modulesExcluded = listOf("module-1", "module-2") // Optional. For multi-module projects, the names of the sub-modules to exclude from auditing. If not specified no modules are excluded. This value is processed after 'modulesIncluded' if both are specified.
// ossIndexAudit can be configured to exclude vulnerabilities from matching
excludeVulnerabilityIds =
listOf("39d74cc8-457a-4e57-89ef-a258420138c5") // list containing ids of vulnerabilities to be ignored
excludeCoordinates =
listOf("commons-fileupload:commons-fileupload:1.3") // list containing coordinate of components which if vulnerable should be ignored
}
Nexus IQ Server Scan and Evaluate
Groovy:
Kotlin:
Nexus IQ IndexAllows you to save information about the dependencies of a project into module information (
For multi-module projects, you can configure a list of sub-modules to exclude from indexing. Groovy:
Kotlin:
Sensitive DataSometimes it's not desirable to keep sensitive data stored on Here is an example using project properties for the credentials, Groovy
Kotlin:
On command line:
Each property name can be set as needed. Here is an example using system properties for the credentials (Groovy):
As mentioned above the values can be set on command line using -D arguments or injected via a tool (CI/CD for instance). Finally this is how environment variables can be used (usually values are injected from the local environment or by a CI tool, Groovy):
Kotlin version:
Multi-module projectsJust apply the plugin on the root project and all sub-modules will be processed and the output will be a single report with all components found in each module. This includes Android projects. ContributingWe care a lot about making the world a safer place, and that's why we created this Check the full contrubuting guidelines at: CONTRIBUTING.md The Fine PrintIt is worth noting that this is NOT SUPPORTED by Sonatype, and is a contribution of ours to the open source community (read: you!) Remember:
Phew, that was easier than I thought. Last but not least of all: Have fun creating and using Getting helpLooking to contribute to our code but need some help? There's a few ways to get information:
|
2023-10-27
2022-08-15
2022-08-17
2022-09-23
2022-08-13
请发表评论