The dependency-check gradle plugin is a Software Composition Analysis (SCA) tool that allows projects to monitor dependent libraries for known, published vulnerabilities.
Gradle introduced version catalog as part of gradle 7. This plugin is capable of determining dependency vulnerabilities in projects that utilize a version catalog. What I propose is the ability to determine vulnerabilities on the libraries and plugins declared in a version catalog project. This would allow for a gradle version catalog to maintain vulnerability information instead of depending on downstream projects to report a vulnerability.
This functionality could be added to the task 'dependencyCheckAnalyze'. Alternatively a new task something like 'catalogCheckAnalyze' could be utilized to perform this operation. Wanted to discuss the proposal to gauge interest.
Gradle introduced version catalog as part of gradle 7. This plugin is capable of determining dependency vulnerabilities in projects that utilize a version catalog. What I propose is the ability to determine vulnerabilities on the libraries and plugins declared in a version catalog project. This would allow for a gradle version catalog to maintain vulnerability information instead of depending on downstream projects to report a vulnerability.
This functionality could be added to the task 'dependencyCheckAnalyze'. Alternatively a new task something like 'catalogCheckAnalyze' could be utilized to perform this operation. Wanted to discuss the proposal to gauge interest.