You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Running the :dependencyCheckAnalyze gradle task gives different result depending on which version of the android gradle plugin is used. This is despite the dependencies that generate the CVE errors have not changed.
Version of dependency-check used
Using org.owasp:dependency-check-gradle:9.2.0
Also seen this behaviour on 9.0.9
configure<org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension> {
// Skip the lintClassPath configuration, which relies on many dependencies that has been flagged
// to have CVEs, as it's related to the lint tooling rather than the project's compilation class
// path. The alternative would be to suppress specific CVEs, however that could potentially
// result in suppressed CVEs in project compilation class path.
skipConfigurations = listOf("lintClassPath")
suppressionFile = "$projectDir/../test-suppression.xml"
}
I ran into this same problem when I updated my AGP version a month or two ago. I am not really sure what changed in the new version of the AGP but a bunch of configurations were exposed that previously weren't exposed and thus they are getting scanned for vulnerabilities. I don't really think this is really the fault of this plugin.
I looked back through at older versions of the AGP and I can see that the vulnerabilities were still there. There is just something different about how things are being compiled and these configurations are now being exposed and scanned when they were not previously.
I also looked ahead at the latest version of the AGP and some of its dependencies and I can see that the vulnerabilities still exist.
Ultimately, it was tedious but we added all of these new issues to our suppression file. I'd love if the AGP didn't have vulnerable dependencies but there really isn't anything that we could do to fix it other than wait for Google to address it.
Not that this will really help you with your problem or anything - just trying to add more information for discussion.
(This is copied from jeremylong/DependencyCheck#6740 where I by accident posted this issue first)
Describe the bug
Running the :dependencyCheckAnalyze gradle task gives different result depending on which version of the android gradle plugin is used. This is despite the dependencies that generate the CVE errors have not changed.
Version of dependency-check used
Using
org.owasp:dependency-check-gradle:9.2.0
Also seen this behaviour on
9.0.9
Log file
https://gist.github.com/Pururun/89199a37e9794bac5969193f2a5ed685
To Reproduce
Update to AGP 8.4 or 8.5
Expected behavior
Consistent behaviour regardless of AGP version.
Additional context
Here is our configuration if gradle:
global gradle
test gradle
Here is the suppress file for the app:
https://github.com/mullvad/mullvadvpn-app/blob/main/android/config/dependency-check-suppression.xml
Suppression file for tests:
https://github.com/mullvad/mullvadvpn-app/blob/main/android/test/test-suppression.xml
I have also tried to move the plugin out of the project file and applying it to each module separately, this did not help.
The text was updated successfully, but these errors were encountered: