Sonatype has an ongoing commitment to the Open Source community to keep software developers aware of the components in their applications (Bill of Materials/BOM) and any known vulnerabilities they may contain. We are constantly developing and releasing tools to help keep your applications safe. The newest free plugin in the Sontaype toolbox is a Gradle plugin to scan, evaluate, and audit Gradle project dependencies. It is available here.
This plugin supports Java, Kotlin, Scala, and Groovy applications using both single and multiple Gradle modules. (Yes, this includes Android!) These are scanned using Sonatype services to audit and evaluate the open source dependencies. There are two data pools we pull from to monitor vulnerability data:- OSS Index: Our free service enables developers to check if any library has known or disclosed vulnerabilities. More info can be found here.
- Nexus Lifecycle: Our paid platform, with advanced curated data, allows developers and companies to continuously monitor and protect the entire software supply chain.
How to Use the Gradle Plugin
Since the Scan Gradle Plugin is available at both Maven Central and the Gradle Plugins Portal, it can be imported and applied into a gradle.build script like this:
Or if your Gradle project is using the legacy syntax:
Using OSS Index
OSS Index can be used without any extra configuration, but to avoid reaching the limit for anonymous queries every user is encouraged to create a free account and use the credentials on this plugin. For credentials and cache configuration please refer to the plugin documentation.
To run the plugin, just execute the following command (using Gradle directly or the wrapper if available):
gradle ossIndexAudit --info
The output will be a list of all open source components found as dependencies for the project and, if found, a list of any vulnerabilities. The task will fail if it finds at least one vulnerable component that you need to address:
Using Nexus Lifecycle
Configure IQ Server settings inside the nexusIQScan configuration on the file build.gradle e.g.
For instructions to avoid including sensitive data on the script please refer to the plugin documentation.
When the scan and evaluation are done, the output will be a brief summary of components affected and policy violations and an URL to IQ Server where all details can be found:
gradle nexusIQScan --info
What’s Next?
Use the plugin in your Gradle projects, spread the word, and give us your feedback. If you’d like you can even create an issue on GitHub or fork the repository and submit a pull request with an improvement. It is open source after all. 😁
Written by Guillermo Varela
Guillermo Varela is a software engineer who has happily gone through some of the diverse paths in software development: backend, frontend and mobile development, team leading and architecture. Many programming languages, tools and methodologies have come and go so he concluded that loving what you do and working collectively to achieve a goal is what leads to success and happiness.