You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It appears as though only project configurations are scanned, but not the buldscript's (project.buildscript.configurations). This is perhaps less important but seems useful to add to avoid tampering with a build. Dependabot has raised a few security issues within this plugin's transitives (Jackson, SnakeYaml, Commons Text, Jsoup), which it caught due to also using gradle-dependency-submission to allow a scan of the dependency graph. When these are flagged I then add constraints to require minimum versions in the build.
The text was updated successfully, but these errors were encountered:
Really glad people are starting to think about build plugins. This is a huge attack surface I've been talking about for a while. I just implemented this for the ODC maven plugin (will be included in the 8.0.0 release): jeremylong/DependencyCheck#5001
It appears as though only project configurations are scanned, but not the buldscript's (
project.buildscript.configurations
). This is perhaps less important but seems useful to add to avoid tampering with a build. Dependabot has raised a few security issues within this plugin's transitives (Jackson, SnakeYaml, Commons Text, Jsoup), which it caught due to also using gradle-dependency-submission to allow a scan of the dependency graph. When these are flagged I then add constraints to require minimum versions in the build.The text was updated successfully, but these errors were encountered: