Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gradle task :dependencyCheckAnalyze gives different result depending on version of AGP #401

Open
Pururun opened this issue Jul 24, 2024 · 1 comment
Open

Gradle task :dependencyCheckAnalyze gives different result depending on version of AGP #401

Pururun opened this issue Jul 24, 2024 · 1 comment

Comments

@Pururun
Copy link

Pururun commented Jul 24, 2024

(This is copied from jeremylong/DependencyCheck#6740 where I by accident posted this issue first)

Describe the bug
Running the :dependencyCheckAnalyze gradle task gives different result depending on which version of the android gradle plugin is used. This is despite the dependencies that generate the CVE errors have not changed.

Version of dependency-check used
Using org.owasp:dependency-check-gradle:9.2.0
Also seen this behaviour on 9.0.9

Log file
https://gist.github.com/Pururun/89199a37e9794bac5969193f2a5ed685

To Reproduce
Update to AGP 8.4 or 8.5

Expected behavior
Consistent behaviour regardless of AGP version.

Additional context
Here is our configuration if gradle:

global gradle

allprojects {
   configure<org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension> {
        failBuildOnCVSS = 0F // All severity levels
        suppressionFile = "${rootProject.projectDir}/config/dependency-check-suppression.xml"
    }
}

test gradle

configure<org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension> {
    // Skip the lintClassPath configuration, which relies on many dependencies that has been flagged
    // to have CVEs, as it's related to the lint tooling rather than the project's compilation class
    // path. The alternative would be to suppress specific CVEs, however that could potentially
    // result in suppressed CVEs in project compilation class path.
    skipConfigurations = listOf("lintClassPath")
    suppressionFile = "$projectDir/../test-suppression.xml"
}

Here is the suppress file for the app:
https://github.com/mullvad/mullvadvpn-app/blob/main/android/config/dependency-check-suppression.xml

Suppression file for tests:
https://github.com/mullvad/mullvadvpn-app/blob/main/android/test/test-suppression.xml

I have also tried to move the plugin out of the project file and applying it to each module separately, this did not help.
@stephenruda
Copy link

I ran into this same problem when I updated my AGP version a month or two ago. I am not really sure what changed in the new version of the AGP but a bunch of configurations were exposed that previously weren't exposed and thus they are getting scanned for vulnerabilities. I don't really think this is really the fault of this plugin.

I looked back through at older versions of the AGP and I can see that the vulnerabilities were still there. There is just something different about how things are being compiled and these configurations are now being exposed and scanned when they were not previously.

I also looked ahead at the latest version of the AGP and some of its dependencies and I can see that the vulnerabilities still exist.

Ultimately, it was tedious but we added all of these new issues to our suppression file. I'd love if the AGP didn't have vulnerable dependencies but there really isn't anything that we could do to fix it other than wait for Google to address it.

Not that this will really help you with your problem or anything - just trying to add more information for discussion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Pururun @stephenruda