snyk/snyk-gradle-plugin

Gradle, if annotationProcessor is used then only those dependencies are being analysed

Closed this issue · 4 comments

Vortim commented
  • node -v: 9.11.1
  • npm -v: 5.10.0
  • snyk -v: 1.108.2
  • Command run: snyk test

Expected behaviour

Expecting snyk to ignore annotationProcessor dependencies or add those dependencies to others found in project.

Actual behaviour

Only annotationProcessor dependencies are being analysed (in my case it's only lombok)

Steps to reproduce

Simply execute snyk test in project root directory.

Additional info

In my humble opinion the root cause of issue is in filters (that only first 'configuration' is being used for analysis):

snyk-gradle-plugin/lib/gradle-dep-parser.js

Line 24 in 9d0692e

.reduce(function (acc, element) {

Sample ./gradlew dependencies output:

> Task :dependencies

------------------------------------------------------------
Root project
------------------------------------------------------------

annotationProcessor - Annotation processors and their dependencies for source set 'main'.
\--- org.projectlombok:lombok -> 1.18.2

apiElements - API elements for main. (n)
No dependencies

archives - Configuration for archive artifacts.
No dependencies

bootArchives - Configuration for Spring Boot archive artifacts.
No dependencies

compile - Dependencies for source set 'main' (deprecated, use 'implementation' instead).
No dependencies

compileClasspath - Compile classpath for source set 'main'.
+--- com.github.ben-manes.caffeine:caffeine -> 2.6.2
+--- com.github.kstyrc:embedded-redis -> 0.6
|    +--- com.google.guava:guava:18.0 -> 25.0-jre
|    |    +--- com.google.code.findbugs:jsr305:1.3.9 -> 3.0.2
|    |    +--- org.checkerframework:checker-compat-qual:2.0.0
|    |    +--- com.google.errorprone:error_prone_annotations:2.1.3
|    |    +--- com.google.j2objc:j2objc-annotations:1.1
|    |    \--- org.codehaus.mojo:animal-sniffer-annotations:1.14
|    \--- commons-io:commons-io:2.4 -> 2.6
+--- com.google.code.findbugs:jsr305 -> 3.0.2

--debug output

  snyk test { _: [ [Circular] ], debug: true } +0ms
  snyk no file specified. Trying to autodetect in base folder <path_to_base_project_dir> +0ms
  snyk found package file build.gradle in <path_to_base_project_dir> +1ms
  snyk analytics add local true +0ms
  snyk found package file build.gradle in <path_to_base_project_dir> +3ms
  snyk analytics add policies 1 +19sbuild.gradle
  snyk analytics add packageManager gradle +0ms
  snyk analytics add packageName XXX +0ms
  snyk analytics add packageVersion 0.0.0 +0ms
  snyk analytics add package XXX@0.0.0 +0ms
  snyk sending request to: https://snyk.io/api/v1/vuln/gradle +0ms
  snyk request body size: 188 +0ms
  snyk gzipped request body size: 135 +0ms
  snyk analytics add payloadSize 188 +4ms
  snyk analytics add gzippedPayloadSize 135 +0ms
  snyk not using proxy +1ms
  snyk analytics add vulns-pre-policy 0 +692ms
  snyk analytics add vulns 0 +4ms

Testing <path_to_base_project_dir>...

Organisation:      XXX
Package manager:   gradle
Target file:       build.gradle
Open source:       no
Project path:      <path_to_base_project_dir>
Licenses:          enabled

✓ Tested 1 dependencies for known issues, no vulnerable paths found.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.
  snyk analytics { args: [ { debug: true, org: undefined, showVulnPaths: true } ],
  command: 'test',
  metadata: 
   { local: true,
     policies: 1,
     packageManager: 'gradle',
     packageName: 'XXX',
     packageVersion: '0.0.0',
     package: 'XXX@0.0.0',
     payloadSize: 188,
     gzippedPayloadSize: 135,
     'vulns-pre-policy': 0,
     vulns: 0 },
  version: '1.108.2',
  os: 'macOS High Sierra',
  nodeVersion: 'v9.11.1',
  id: '---',
  ci: false,
  durationMs: 19423 } +3ms
  snyk sending request to: https://snyk.io/api/v1/analytics/cli +699ms
  snyk request body size: 433 +0ms
  snyk gzipped request body size: 295 +0ms
  snyk not using proxy +0ms
darscan commented

Hello @Vortim

Thanks for raising this. We definitely need to improve the default behaviour here, but for now the workaround is to specify a configuration when running the CLI:

snyk test -- --configuration compileClasspath

Hope that helps!

Vortim commented

Hello @darscan,

It helped a lot, Thank you!

Regarding default behaviour, maybe it would be better to use runtimeClasspath, as in gradle it's possible to add some dependencies only for runtime (they'd be excluded from compilation phase) for example some agents or any kind of jdbc drivers.

I believe that it would be useful information to be included in snyk --help, so that it would be easier to find what else can be done with snyk-gradle-plugin, currently there is only info about gradle-sub-project property

lili2311 commented

Hi! Is this still an issue for you with the latest cli version? We have merged an improvement that should help this

lili2311 commented

closing this one, please re-open if still an issue