search

safedep / vet

Tool to achieve policy driven vetting of open source dependencies
https://safedep.io
Apache License 2.0
226 stars 21 forks source link

Unable to generate output through Vet #200

Closed kunwaratulhax0r closed 7 months ago

kunwaratulhax0r commented 7 months ago

Hi while running Vet locally, I am not able to generate the output. While following the documentation, already vet auth configure --community is set. Please refer below screenshot.

image

Also tried to run it with this command vet scan --lockfiles build.gradle --lockfile-as gradle.lockfile, results are same. image

We ran the same commands on different repos and no output received.

abhisek commented 7 months ago

Hi @kunwaratulhax0r Thanks for using vet and raising potential bugs.

build.gradle is not a valid lockfile actually, it is for declaring dependencies only. But gradle.lockfile is a valid lockfile. Can you check if you have a gradle.lockfile available in your source code? You should be scanning that gradle.lockfile. In case you do not have a gradle.lockfile, you should be able to generate it using gradle.

You can try out the Java example here which has a build.gradle and gradle.lockfile generated from build.gradle file https://github.com/safedep/demo-client-java/

You can also refer to gradle documentation on generating gradle.lockfile https://docs.gradle.org/current/userguide/dependency_locking.html

kunwaratulhax0r commented 7 months ago

So it is mandatory to have a gradle.lockfile in repo? Or we can run it without it? Like just by defining the path of the repo and vet scan -D /filepath/

abhisek commented 7 months ago

@kunwaratulhax0r When you are scanning a directory using -D /path/, vet actually looks for supported lockfiles such as gradle.lockfile, package-lock.json etc. Without a lockfile, vet cannot discover 3rd party dependencies (although we have a planned feature of discovering this from code).

For now, I suggest you add the following in your build.gradle file

dependencyLocking {
    lockAllConfigurations()
}

Then generate the gradle.lockfile

./gradlew assemble --write-locks

Then you can scan the gradle.lockfile using vet

kunwaratulhax0r commented 7 months ago

Yeah trying same. Thanks for the help :)

Will let you know once it's done.

kunwaratulhax0r commented 7 months ago

Able to produce the outout now.

Thanks for the help @abhisek, let's meet at Blackhat Asia.

abhisek commented 7 months ago

Great. Looking forward 👍