search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.47k stars 1.29k forks source link

docs: update documentation for Gradle plugin #7143

Closed tylervz closed 1 week ago

tylervz commented 2 weeks ago

Fixes Issue

Description of Change

Update the "Example" and "Advanced Configuration" sections of the Gradle plugin documentation to use non-deprecated code samples.

Using a closure to configure proxy or data is now deprecated:

https://github.com/dependency-check/dependency-check-gradle/blob/aaab86c7fa26a855a625999df24d6907f088ce85/src/main/groovy/org/owasp/dependencycheck/gradle/extension/DependencyCheckExtension.groovy#L229-L232

https://github.com/dependency-check/dependency-check-gradle/blob/aaab86c7fa26a855a625999df24d6907f088ce85/src/main/groovy/org/owasp/dependencycheck/gradle/extension/DependencyCheckExtension.groovy#L328-L337

When adding this plugin to a project today, I noticed that a code snippet in my build.gradle, similar to examples in the documentation, was highlighted in IntelliJ as being deprecated. I'm not super well versed in Gradle, but I was able to quickly find a fix which works for configuring the DependencyCheckExtension and does not rely on using a closure.

I don't know what the best way to update the analyzers code sample in the configuration-aggregate documentation would be, though:

https://github.com/jeremylong/DependencyCheck/blob/531743481768dd089f3f354284f8fd5495de77cf/src/site/markdown/dependency-check-gradle/configuration-aggregate.md?plain=1#L193-L206

https://github.com/dependency-check/dependency-check-gradle/blob/aaab86c7fa26a855a625999df24d6907f088ce85/src/main/groovy/org/owasp/dependencycheck/gradle/extension/DependencyCheckExtension.groovy#L307-L316

I feel like there's a better way to do it than the code below, so I did not include a change for this in my pull request. If anyone has suggestions on how to best write this configuration without using a closure, I'd love to hear your suggestions!

dependencyCheck {
    analyzers.assemblyEnabled=false
    analyzers.artifactory.enabled=true
    analyzers.artifactory.url='https://internal.artifactory.url'
    analyzers.retirejs.filters = ['(i)copyright Jeremy Long']
}

Have test cases been added to cover the new functionality?

no Because new functionality has not been added.

tylervz commented 2 weeks ago

@jeremylong does that mean you would like me to update my pull request by changing the analyzers code sample in the configuration-aggregate documentation like so?

dependencyCheck {
    analyzers.assemblyEnabled=false
    analyzers.artifactory.enabled=true
    analyzers.artifactory.url='https://internal.artifactory.url'
    analyzers.retirejs.filters = ['(i)copyright Jeremy Long']
}
jeremylong commented 2 weeks ago

I'm ambivalent regarding the way this is documented. If the example works and doesn't produce warnings about deprecated functions - I'm good. How this is done is a matter of style and different teams will have different opinions. I'm not sure if there is any official preference/style guide for gradle.