Scan build environment (plugins) #283
Labels
Comments
|
Really glad people are starting to think about build plugins. This is a huge attack surface I've been talking about for a while. I just implemented this for the ODC maven plugin (will be included in the 8.0.0 release): jeremylong/DependencyCheck#5001 Working on the gradle plugin now. |
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It appears as though only project configurations are scanned, but not the buldscript's (
project.buildscript.configurations). This is perhaps less important but seems useful to add to avoid tampering with a build. Dependabot has raised a few security issues within this plugin's transitives (Jackson, SnakeYaml, Commons Text, Jsoup), which it caught due to also using gradle-dependency-submission to allow a scan of the dependency graph. When these are flagged I then add constraints to require minimum versions in the build.The text was updated successfully, but these errors were encountered: