search

sonatype-nexus-community / scan-gradle-plugin

Gradle plugin that scans the dependencies of a Gradle project using Sonatype platforms: OSS Index and Nexus IQ Server.
Apache License 2.0
77 stars 21 forks source link

[BUG] The excludeVulnerabilityIds property stopped working because of changes by Sonatype #112

Closed TheoLassonder closed 2 years ago

TheoLassonder commented 2 years ago

Describe the bug Sonatype does not include Vulnerability ids in their OSS Index anymore. See https://ossindex.sonatype.org/updates-notice. This means that any vulnerabilities excluded with the excludeVulnerabilityIds are not excluded anymore.

To Reproduce Steps to reproduce the behavior:

  1. Run the ossIndexAudit task on a Gradle file with the excludeVulnerabilityIds that previously excluded vulnerabilities
  2. The vulnerabilities are no longer excluded

Additional context Perhaps a new property should be added, perhaps excludeCVEs.

TheoLassonder commented 2 years ago

I'm happy to start a pull request to fix this. It would completely remove excludeVulnerabilityIds and replace it with excludeCves.

TheoLassonder commented 2 years ago

Looks like that's not quite right: some vulnerabilities reported are non-CVE and thus don't have a CVE associated. So it would be better to keep excludeVulnerabilityIds exactly as-is, and simply start using the new ids.