search

dependency-check / dependency-check-gradle

The dependency-check gradle plugin is a Software Composition Analysis (SCA) tool that allows projects to monitor dependent libraries for known, published vulnerabilities.
http://jeremylong.github.io/DependencyCheck/
Apache License 2.0
361 stars 93 forks source link

Support for vulnerability analysis of gradle version catalog #376

Open mluckam opened 8 months ago

mluckam commented 8 months ago

Gradle introduced version catalog as part of gradle 7. This plugin is capable of determining dependency vulnerabilities in projects that utilize a version catalog. What I propose is the ability to determine vulnerabilities on the libraries and plugins declared in a version catalog project. This would allow for a gradle version catalog to maintain vulnerability information instead of depending on downstream projects to report a vulnerability.

This functionality could be added to the task 'dependencyCheckAnalyze'. Alternatively a new task something like 'catalogCheckAnalyze' could be utilized to perform this operation. Wanted to discuss the proposal to gauge interest.

jeremylong commented 8 months ago

This would be a good addition.