build.gradle file is read but no dependency is found
Closed this issue · 5 comments
-
gradle -v: 4.7 -
node -v: v8.11.3 -
npm -v: 5.6.0 -
snyk -v: 1.89.1 -
Command run:
snyk test (from project root where build.gradle is)
and
snyk test --file=/path/to/build.gradle
Expected behaviour
Organisation: censored
Package manager: gradle
Target file: build.gradle
Open source: no
Project path: /path
✓ Tested X dependencies for known vulnerabilities, {actual analysis results of dependencies}
Actual behaviour (snyk test --debug)
Organisation: *censored*
Package manager: gradle
Target file: build.gradle
Open source: no
Project path: /path
✓ Tested 0 dependencies for known vulnerabilities, no vulnerable paths found.
snyk analytics { command: 'test',
args: [ { debug: true, org: undefined, showVulnPaths: true } ],
metadata:
{ local: true,
policies: 1,
packageManager: 'gradle',
packageName: '*censored*',
packageVersion: '0.0.0',
package: '*censored*@0.0.0',
payloadSize: 128,
gzippedPayloadSize: 116,
'vulns-pre-policy': 0,
vulns: 0 },
version: '1.89.1',
os: 'macOS Sierra',
nodeVersion: 'v8.11.3',
id: 'bbecc862ba8d8ee5feeee1ec631d444a94672aba',
ci: false,
durationMs: 2195 } +5ms
snyk sending request to: https://snyk.io/api/v1/analytics/cli +730ms
snyk request body size: 440 +0ms
snyk gzipped request body size: 290 +0ms
snyk not using proxy +0ms
Steps to reproduce
Simply execute aforementionned commands.
The thing is that our build.gradle file has multiple blocks in which it declares dependencies. One of these blocks is on the first level and is indeed called dependencies {}. We'd assume at least this one would work correctly.
A possibly important detail is that we use the following plugins as well:
- apply plugin: 'maven'
- apply plugin: 'maven-publish'
The following block is executed before the dependencies{} block as well:
repositories {
mavenCentral()
maven { url "censoredURL" }
maven { url "censoredURL" }
etc.
}
We were thinking that this maven-gradle setup might be the root cause of Snyk read not finding any dependencies?
Thank you in advance, we can exchange further needed details when needed.
@TonyGreenwood thanks for raising this issue!
Under the hood, the gradle plugin executes the gradle dependencies plugin. It uses gradlew[.bat] if such is found, falling back to gradle if not.
Can you please contact us at support@snyk.io and share the output of gradle dependencies -q?
If there is a specific configuration you use, you can specify it with snyk test -- --configuration <config>. Any args following the standalone -- will be passed on to the gradle invocation.
Hi @TonyGreenwood
With a bit of help from my colleagues I've taken a look into this issue. Unfortunately we don’t currently support scanning dependencies for all sub projects in a multi project build. You might have more luck testing the sub projects individually.
Judging by this article we found, https://solidsoft.wordpress.com/2014/11/13/gradle-tricks-display-dependencies-for-all-subprojects-in-multi-project-build/, it seems like it's a limitation of gradle itself and since, as Anton said, we hook into gradle dependencies we also cannot get a list of dependencies. The article mentions a handy way to list out submodule dependencies by using a task and we could look into adding support for passing in custom tasks to the CLI in future.
@TonyGreenwood please note we made a release a few weeks ago that allows to specify a gradle sub project:
--gradle-sub-project=<string>
For Gradle "multi project" configurations,
test a specific sub-project.
Hope this helps for this case too!
👋 We have released an improvement that should help pick up more dependencies, please confirm if this is still an issue for you?
closing this one, please re-open if still an issue