wrong behavior when include checkstyle plugin

Question

wrong behavior when include checkstyle plugin

Closed this issue 6 years ago · 4 comments

node -v: v9.7.1
npm -v: 5.6.0
snyk -v: 1.104.1
gradle -v: 4.8
build.gradle

apply plugin: 'java'
apply plugin: 'checkstyle'

ext {
    checkstyleVersion = '8.10.1'
    jacksonVersion = '2.9.7'
    springsecuritysamlVersion = '1.0.3.RELEASE'
}

group 'com.test'
version '0.8.6'

sourceCompatibility = 1.8

repositories {
    mavenCentral()
}

dependencies {
    implementation group: 'com.fasterxml.jackson.core', name: 'jackson-annotations', version: jacksonVersion
    implementation group: 'org.springframework.security.extensions', name: 'spring-security-saml2-core', version: springsecuritysamlVersion
}

Command run: snyk test

Expected behaviour

Organisation:      <>
Package manager:   gradle
Target file:       build.gradle
Open source:       no
Project path:      <>

Tested 33 dependencies for known vulnerabilities, found 26 vulnerabilities, 96 vulnerable paths.

Actual behaviour

✗ Medium severity vulnerability found in com.google.guava:guava
  Description: Deserialization of Untrusted Data
  Info: https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-32236
  Introduced through: com.puppycrawl.tools:checkstyle@6.19
  From: com.puppycrawl.tools:checkstyle@6.19 > com.google.guava:guava@19.0

Organisation:      <>
Package manager:   gradle
Target file:       build.gradle
Open source:       no
Project path:      <>

Tested 7 dependencies for known vulnerabilities, found 1 vulnerability, 1 vulnerable path.

After remove apply plugin: 'checkstyle', the snyk test gives expects results.
It seems that checkstyle plugin causes snyk to behave wrongly and run test on the checkstyle dependencies instead.

If applicable, please append the --debug flag on your command and include the output here **ensuring to remove any sensitive/personal details or tokens.

Answer 1 · 2018-10-18T05:44:30.000Z

@quynh-axiadids thanks for reporting this!

Your analysis is very much correct. We're thrown off by the checkstyle plugin as it introduces its own configuration to the gradle build, and pick it up instead of the rest of the app.

As a workaround I can suggest specifying the exact gradle configuration you are interested in like so: snyk test -- --configuration default. The standalone double-dash will cause all following args to be passed through to gradle, pointing us at the right configuration for the example project above.

Answer 2 · 2018-10-18T17:18:44.000Z

@adrukh Thank you for the quick response.
The work around solution provided works well.

Answer 3 · 2019-03-25T08:55:24.000Z

👋 We have merged an improvement that should help here, please try the latest version of cli and let us know if it helps?

Answer 4 · 2019-04-01T10:42:12.000Z

closing this one, please re-open if still an issue