Working with external dependencies and plugins published on third-party repositories puts your build at risk. In particular, you need to be aware of what binaries are brought in transitively and if they are legit. To mitigate the security risks and avoid integrating compromised dependencies in your project, Gradle supports dependency verification.
Gradle can check dependencies' checksum in build time, and verify that dependencies have been compromised.
I set Gradle option for just warning when checksum throw error.
If you want to make new verification-metadata.xml, run this gradle --write-verification-metadata sha256 check
What I have done and why
Set Gradle verification. From this documentation
Gradle can check dependencies' checksum in build time, and verify that dependencies have been compromised. I set Gradle option for just warning when checksum throw error. If you want to make new
verification-metadata.xml
, run thisgradle --write-verification-metadata sha256 check
How I'm testing it
Choose at least one: