Open 2013kaa opened 1 year ago
@2013kaa It's a good request. Let me think about this.
@prabhu I think this would be a great idea for companies with a lot of development teams. Let me explain a little about my problem and how I arrived at it. All the SCA scanners I've looked at work either through a builder plugin (cyclonedx-gradle-plugin example) or as an audit of build files (build.gradle example). Moreover, the first option is more preferable, as it gives the most complete report. It's normal when you have the ci\cd templating standard and all commands use the same version of gradle and java. You run a separate job in the pipeline with cyclonedx-gradle-plugin and enjoy the resulting bom.json. But in my case this is not so)))) Different commands, different versions of gradle\java\npm\nodejs, there are not at all non-standard pipelines using werf. I tried to create a universal security_pipeline for this, but I realized that this is not a feasible task. But I can ask my favorite developers and devops to dump the results of "gradlew dependencies -q --console > dep.txt" as an artifact from the build stage and pass it as input to your application. After all, all collector plugins still run this task and analyze its result. It seems to me that this will save time, will keep bom.json reports redundant and will be a universal solution. Just in case, as test data you have:
@prabhu Do you have any ideas about my proposal?))that would be super!
@2013kaa Not yet. Busy with adding containers and os scans. Any idea how much time we will likely trim for you with this caching? One idea could be to add support for reading from stdin so you can run gradle and pipe it to cdxgen.
@prabhu each assembly of sbom.xml takes us from 5 to 10 minutes * 300 projects in gitlab!. It's more about convenience and ease of use. Developers can send me the output of "gradlew dependencies" or pass between tasks ci\cd as an artifact, instead of each time reusing their image and environment to re-run "gradlew dependencies"
@2013kaa Would you prefer support for the gradle lock file? https://docs.gradle.org/current/userguide/dependency_locking.html#lock_state_location_and_format
Could you find out from your dev teams if they could create and maintain the lock files in the repo? This is consistent with other languages that can automatically use lock files.
@prabhu unfortunately, our programmers are too lazy and there are too many of them for me to force them alone (( Still looking forward to the new feature))
Hi If I understand correctly, when scanning projects with gradle, cdxgen launches its task "gradlew dependencies -q --console" and then analyzes the dependencies. Is it possible to pass cdxgen to input a ready file with "gradlew dependencies -q --console > dep.txt" ?