search

snyk / gradle-plugin

Snyk Gradle Plugin - Scanning and monitoring your dependencies for security vulnerabilities from Gradle
Other
20 stars 19 forks source link

Cannot resolve external dependency org.json:json:20200518 because no repositories are defined #1

Closed symphony-youri closed 1 year ago

symphony-youri commented 3 years ago

Using the Snyk Gradle plugin on a project without dependencies being declared in the root project seems to cause the plugin to fail.

As a workaround, I just added this block at the root of my project (otherwise the repositories block is just declared for subprojects):

repositories {
    jcenter()
}

Detailed output:

gradle snyk-test

> Task :snyk-check-binary
Using Snyk CLI version: 1.437.3 (standalone)

> Task :snyk-test FAILED

Gradle Error (short):
> Could not resolve all dependencies for configuration ':dataFiles'.
   > Cannot resolve external dependency org.json:json:20200518 because no repositories are defined.

===== DEBUG INFORMATION START =====
gradle command: 'gradlew' snykResolvedDepsJson -q --build-file build.gradle --no-daemon -Dorg.gradle.parallel= -Dorg.gradle.console=plain -I /var/folders/mb/smjzq82150ddzvk3gq411h300000gn/T/tmp-31708-ZOsQSxlXFWSu--init.gradle

------------------------------------------------------------
Gradle 6.6.1
------------------------------------------------------------

Build time:   2020-08-25 16:29:12 UTC
Revision:     f2d1fb54a951d8b11d25748e4711bec8d128d7e3

Kotlin:       1.3.72
Groovy:       2.5.12
Ant:          Apache Ant(TM) version 1.10.8 compiled on May 10 2020
JVM:          1.8.0_265 (AdoptOpenJDK 25.265-b01)
OS:           Mac OS X 10.16 x86_64

>>> command: 'gradlew' snykResolvedDepsJson -q --build-file build.gradle --no-daemon -Dorg.gradle.parallel= -Dorg.gradle.console=plain -I /var/folders/mb/smjzq82150ddzvk3gq411h300000gn/T/tmp-31708-ZOsQSxlXFWSu--init.gradle
>>> exit code: 1
>>> stdout:
SNYKECHO snykResolvedDepsJson task is executing via doLast
JSONATTRS {"org.gradle.usage":["java-runtime","java-api"],"org.gradle.category":["library","documentation"],"org.gradle.libraryelements":["jar"],"org.gradle.dependency.bundling":["external"],"org.gradle.docstype":["javadoc","sources"]}
SNYKECHO processing project: 
SNYKECHO resolving configuration [dataFiles]

>>> stderr:

FAILURE: Build failed with an exception.

* Where:
Initialization script '/var/folders/mb/smjzq82150ddzvk3gq411h300000gn/T/tmp-31708-ZOsQSxlXFWSu--init.gradle' line: 266

* What went wrong:
Execution failed for task ':snykResolvedDepsJson'.
> Could not resolve all dependencies for configuration ':dataFiles'.
   > Cannot resolve external dependency org.json:json:20200518 because no repositories are defined.
     Required by:
         project :

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 4s
bmuschko commented 3 years ago

A Gradle plugin shouldn't define a repository internally. That's bad practice. It's up to the consumer to define repositories. The reason it is bad practice is the fact that hard-coding a repository in the plugin code will easily break consumers that don't have access to it. For example, some companies do not allow access to public repositories (e.g. Maven Central) and require the use of a proxy repository e.g. as set up in Artifactory.

yairkukielkazunzunegui commented 1 year ago

Related https://github.com/snyk/gradle-plugin/issues/23 because org.json:json:20200518 has a vulnerability