OWASP Android project integration

[PRobi23]

Hello,

I've integrated OWASP into my Android project. I've used the convention plugin to integrate Owasp into all my modules.

`fun Project.configureOwasp() { val dependencyPropsFile = file("owasp.dependency") val dependencyProps = Properties()

if (dependencyPropsFile.exists()) {
    dependencyProps.load(FileInputStream(dependencyPropsFile))
}

val nvdApiKey = dependencyProps.getProperty("NVD_KEY")
extensions.configure<DependencyCheckExtension> {
    scanConfigurations = listOf("releaseCompileClasspath")
    failBuildOnCVSS = 11f
    failOnError = false
    suppressionFile =
        "${this@configureOwasp.rootDir}/gradle/plugins/owasp-dependency-check-suppressions.xml"

    analyzers.apply {
        assemblyEnabled = false
        experimentalEnabled = true
        archiveEnabled = true
        jarEnabled = true
        centralEnabled = true
        pyDistributionEnabled = false
        pyPackageEnabled = false
        rubygemsEnabled = false
        opensslEnabled = false
        nuspecEnabled = false
        assemblyEnabled = false
        cmakeEnabled = false
        autoconfEnabled = true
        composerEnabled = false
        nodeEnabled = true
    }

    formats = listOf("XML", "HTML")

    nvd.apiKey = nvdApiKey
}

} `

However, when I call the dependencyCheckAggregate command, it generates a report per module. Is there a way to generate only one report? My problem with more reports is that SonarQube only accepts one file, not multiple ones.

Thanks!

[aikebah]

For dependencyCheckAggregate you should configure dependencyCheck plugin in a toplevel build file. It is supposed to report on the entire module hierarchy when configured with the aggregate goal in the toplevel project. See also #3847

[PRobi23]

So this means I don't have to set OWASP for every project? Or do I still have to do it in my top-level grade file? Do you know if I need to add this?

check.dependsOn dependencyCheckAggregate

[PRobi23]

I've already added to my root gradle file the owasp plugin inside the plugin block.

[PRobi23]

Sorry, this didn't help. I've tried to add it only to the root project, but it will still run a report per module. @aikebah

[aikebah]

@PRobi23 I'm not a gradle user myself, so I can't help you get your config right, but I do know that you need to configure the gradle plugin to run only in the root-project if you intend to run it as an aggregate plugin (invoking the dependencyCheckAggregate task) in order to obtain a single report for your multi-module project.

[PRobi23]

@aikebah that's what I've did.

In my root gradle file I've added this

alias(libs.plugins.owasp) apply false (inside the plugins section), which points to

owasp = { id = "org.owasp.dependencycheck", version.ref = "owasp" }
owasp = "10.0.4"

and then I'm running the ./gradlew dependencyCheckAggregate command. Still it generates the dependency report per module, and I don't get it why.

[aikebah]

@PRobi23 As said: I'm not a gradler... having said that, a quick google on the alias you quote leads me to this stackoverflow https://stackoverflow.com/questions/78672954/why-is-my-build-gradle-looking-like-this-aliaslibs-plugins-com-android-applic in which it's clearly visible that you've not configured the plugin to 'run in root , but not in submodules', but instead you configured it to 'not run in root, but only in submodules'

[PRobi23]

yes you are right thanks for your help @aikebah