Open Pururun opened 1 week ago
This is more likely an issue for https://github.com/dependency-check/dependency-check-gradle than here.
All of the "new" CVEs are because the new android-gradle-plugin version is dynamically adding a whole lot of new Gradle configurations such as app:_internal-unified-test-platform-android-test-plugin-result-listener-gradle
from the unified-test-platform which have vulnerable dependencies and are now being detected and scanned by default (where they were not in earlier versions). I suspect they changed something about the way the plugin works.
These configurations dont exist in the ODC report for earlier versions. You can see them in the HTML report for a new version.
I tried to quickly configure these configurations to be skipped, but it doesn't seem to work, probably due to the time within the Gradle lifecycle at which that plugin creates the configurations.
afterEvaluate {
configure<org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension> {
skipConfigurations = configurations.filter { !it.name.contains("unified-test-platform") }.map { it.name }
}
}
If you understand AGP better than I, you might want to try what happens if you ensure that AGP is configured prior to the ODC plugin (normally order is dependent in plugins { }
blocks, but you folks seem to use a mixture of this and buildscript
dependencies, so not sure.
If you think that the plugin should have an obvious way to detect and exclude these special configurations or shouldn't be looking at them, it might be something similar to https://github.com/dependency-check/dependency-check-gradle/issues/239 however I am not sure :-) Generally speaking, all configurations are valid to scan unless configured otherwise, I believe.
Describe the bug Running the :dependencyCheckAnalyze gradle task gives different result depending on which version of the android gradle plugin is used. This is despite the dependencies that generate the CVE errors have not changed.
Version of dependency-check used Using
org.owasp:dependency-check-gradle:9.2.0
Also seen this behaviour on9.0.9
Log file https://gist.github.com/Pururun/89199a37e9794bac5969193f2a5ed685
To Reproduce Update to AGP 8.4 or 8.5
Expected behavior Consistent behaviour regardless of AGP version.
Additional context Here is our configuration if gradle:
global gradle
test gradle
Here is the suppress file for the app: https://github.com/mullvad/mullvadvpn-app/blob/main/android/config/dependency-check-suppression.xml
Suppression file for tests: https://github.com/mullvad/mullvadvpn-app/blob/main/android/test/test-suppression.xml