Gradle Plugin adds lots of dependencies to buildscript classpath

JLLeitschuh commented 3 years ago

Describe the bug

The Gradle Plugin Author documentation states the following:

It’s important to understand that a Gradle plugin does not run in its own, isolated classloader. In turn those dependencies might conflict with other versions of the same library being resolved from other plugins and might lead to unexpected runtime behavior. When writing Gradle plugins consider if you really need a specific library or if you could just implement a simple method yourself. A future version of Gradle will introduce proper classpath isolation for plugins. - https://docs.gradle.org/current/userguide/designing_gradle_plugins.html#minimizing_the_use_of_external_libraries

The DependencyCheck plugin pulls in quite a large dependency graph onto the build script classpath when applied.

\--- org.owasp.dependencycheck:org.owasp.dependencycheck.gradle.plugin:6.1.2
     \--- org.owasp:dependency-check-gradle:6.1.2
          +--- org.owasp:dependency-check-core:6.1.2
          |    +--- org.anarres.jdiagnostics:jdiagnostics:1.0.6
          |    +--- org.whitesource:pecoff4j:0.0.2.1
          |    +--- org.apache.commons:commons-jcs-core:2.2.1
          |    |    \--- commons-logging:commons-logging:1.2
          |    +--- com.github.package-url:packageurl-java:1.2.0
          |    +--- us.springett:cpe-parser:2.0.2
          |    |    \--- org.slf4j:slf4j-api:1.7.30
          |    +--- com.vdurmont:semver4j:3.1.0
          |    +--- org.slf4j:slf4j-api:1.7.30
          |    +--- org.owasp:dependency-check-utils:6.1.2
          |    |    +--- commons-io:commons-io:2.8.0
          |    |    +--- org.apache.commons:commons-lang3:3.12.0
          |    |    +--- com.fasterxml.jackson.core:jackson-databind:2.12.2
          |    |    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.12.2
          |    |    |    |    \--- com.fasterxml.jackson:jackson-bom:2.12.2
          |    |    |    |         +--- com.fasterxml.jackson.core:jackson-annotations:2.12.2 (c)
          |    |    |    |         +--- com.fasterxml.jackson.core:jackson-core:2.12.2 (c)
          |    |    |    |         +--- com.fasterxml.jackson.core:jackson-databind:2.12.2 (c)
          |    |    |    |         \--- com.fasterxml.jackson.module:jackson-module-afterburner:2.12.2 (c)
          |    |    |    +--- com.fasterxml.jackson.core:jackson-core:2.12.2
          |    |    |    |    \--- com.fasterxml.jackson:jackson-bom:2.12.2 (*)
          |    |    |    \--- com.fasterxml.jackson:jackson-bom:2.12.2 (*)
          |    |    +--- commons-codec:commons-codec:1.15
          |    |    \--- org.slf4j:slf4j-api:1.7.30
          |    +--- commons-collections:commons-collections:3.2.2
          |    +--- org.apache.commons:commons-compress:1.20
          |    +--- commons-io:commons-io:2.8.0
          |    +--- org.apache.commons:commons-lang3:3.12.0
          |    +--- org.apache.commons:commons-text:1.9
          |    |    \--- org.apache.commons:commons-lang3:3.11 -> 3.12.0
          |    +--- org.apache.lucene:lucene-core:8.8.1
          |    +--- org.apache.lucene:lucene-analyzers-common:8.8.1
          |    |    \--- org.apache.lucene:lucene-core:8.8.1
          |    +--- org.apache.lucene:lucene-queryparser:8.8.1
          |    |    +--- org.apache.lucene:lucene-core:8.8.1
          |    |    +--- org.apache.lucene:lucene-queries:8.8.1
          |    |    \--- org.apache.lucene:lucene-sandbox:8.8.1
          |    +--- org.apache.velocity:velocity-engine-core:2.2
          |    |    +--- org.apache.commons:commons-lang3:3.9 -> 3.12.0
          |    |    \--- org.slf4j:slf4j-api:1.7.30
          |    +--- com.h2database:h2:1.4.199
          |    +--- org.glassfish:javax.json:1.1.4
          |    +--- org.jsoup:jsoup:1.13.1
          |    +--- com.sun.mail:mailapi:1.6.5
          |    |    \--- com.sun.activation:jakarta.activation:1.2.1
          |    +--- com.fasterxml.jackson.core:jackson-databind:2.12.2 (*)
          |    +--- com.fasterxml.jackson.module:jackson-module-afterburner:2.12.2
          |    |    +--- com.fasterxml.jackson.core:jackson-core:2.12.2 (*)
          |    |    \--- com.fasterxml.jackson.core:jackson-databind:2.12.2 (*)
          |    +--- com.h3xstream.retirejs:retirejs-core:3.0.2
          |    |    +--- org.json:json:20190722
          |    |    +--- com.esotericsoftware:minlog:1.3.1
          |    |    \--- com.github.spullara.mustache.java:compiler:0.9.6
          |    +--- org.sonatype.ossindex:ossindex-service-client:1.7.0
          |    |    +--- org.sonatype.ossindex:ossindex-service-api:1.7.0
          |    |    |    +--- org.slf4j:slf4j-api:1.7.28 -> 1.7.30
          |    |    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.9.10 -> 2.12.2 (*)
          |    |    |    +--- com.google.guava:guava:29.0-android
          |    |    |    |    +--- com.google.guava:failureaccess:1.0.1
          |    |    |    |    +--- com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
          |    |    |    |    +--- com.google.code.findbugs:jsr305:3.0.2
          |    |    |    |    +--- org.checkerframework:checker-compat-qual:2.5.5
          |    |    |    |    +--- com.google.errorprone:error_prone_annotations:2.3.4
          |    |    |    |    \--- com.google.j2objc:j2objc-annotations:1.3
          |    |    |    +--- javax.ws.rs:javax.ws.rs-api:2.0.1
          |    |    |    \--- org.sonatype.goodies:package-url-java:1.1.1
          |    |    +--- javax.inject:javax.inject:1
          |    |    +--- org.slf4j:slf4j-api:1.7.28 -> 1.7.30
          |    |    +--- org.slf4j:jcl-over-slf4j:1.7.28
          |    |    |    \--- org.slf4j:slf4j-api:1.7.28 -> 1.7.30
          |    |    +--- com.google.guava:guava:29.0-android (*)
          |    |    +--- joda-time:joda-time:2.10.4
          |    |    \--- com.google.code.gson:gson:2.8.5
          |    +--- com.google.guava:guava:[24.1.1,) -> 29.0-android (*)
          |    +--- com.moandjiezana.toml:toml4j:0.7.2
          |    |    \--- com.google.code.gson:gson:2.8.1 -> 2.8.5
          |    +--- com.hankcs:aho-corasick-double-array-trie:1.2.2
          |    +--- commons-validator:commons-validator:1.7
          |    |    +--- commons-beanutils:commons-beanutils:1.9.4
          |    |    |    +--- commons-logging:commons-logging:1.2
          |    |    |    \--- commons-collections:commons-collections:3.2.2
          |    |    +--- commons-digester:commons-digester:2.1
          |    |    +--- commons-logging:commons-logging:1.2
          |    |    \--- commons-collections:commons-collections:3.2.2
          |    \--- commons-beanutils:commons-beanutils:1.9.4 (*)
          +--- org.owasp:dependency-check-utils:6.1.2 (*)
          \--- net.gpedro.integrations.slack:slack-webhook:1.4.0
               \--- com.google.code.gson:gson:2.3.1 -> 2.8.5

Best practice is to move the logic of this plugin into a Gradle worker with an isolated/independent classpath. That way the dependencies for the core logic that this plugin provides is wholy isolated from other plugins applied to the build.

https://docs.gradle.org/current/userguide/worker_api.html

Using the worker API, the org.owasp:dependency-check-core dependency can be resolve on an isolated Gradle configuration. Thus, org.owasp:dependency-check-core and it's dependents will exist on an independent classpath that won't cause conflicts with other plugins.

Version of dependency-check used

6.1.2

To Reproduce Steps to reproduce the behavior:

Apply the plugin
Run ./gradlew buildEnvironment

jeremylong commented 3 years ago

Thanks for the information on the worker API. Not sure how quickly we can get to this. We do accept PRs...

Lucas3oo commented 3 years ago

What effort do you guys think it could be to start using worker API?

jeremylong commented 3 years ago

Honestly, the plugin itself isn't very big - most of the code is in ODC-core. If someone has time we accept PRs.

jeremylong / DependencyCheck

Gradle Plugin adds lots of dependencies to buildscript classpath #3213