Empty dependency graph snapshot generated when state is loaded from configuration cache
Closed this issue · 0 comments
bigdaz commented
When the Gradle project configuration is successfully loaded from the configuration-cache, no dependencies will be resolved during the build execution. In this case, an empty dependency graph snapshot will be generated.
Submitting this empty snapshot can incorrectly clear the dependency graph for a repository, resolving any security vulnerabilities!
We should either:
- Fail if the configuration-cache is enabled when generating a dependency graph snapshot.
- Generate a different Job Correlator when configuration-cache state is reused. This would prevent the empty snapshot from overwriting a previous, correct snapshot.
- Detect when an empty snapshot is generated due to configuration-cache reuse, and avoid submitting this snapshot (this would require a change in
gradle-build-action
).