Show source of vulnerable transitive dependency

[PaulCormier]

Maybe I'm missing it, but with the Gradle plugin can I see what declared dependency led to a detected vulnerability?

For instance, if I add 'org.owasp:dependency-check-maven:7.0.0' and then run dependencyCheckAnalyze, I get a hit on sisu-guava-0.9.9.jar - cpe:2.3:a:google:guava:0.9.9:*:*:*:*:*:*:*.

Presently, to find out where that came from I have to run the dependencies task and search for it.

+--- org.owasp:dependency-check-maven:7.0.0
|    +--- org.owasp:dependency-check-core:7.0.0 (*)
|    +--- org.owasp:dependency-check-utils:7.0.0 (*)
|    +--- org.apache.maven.shared:file-management:3.0.0
|    |    +--- org.apache.maven:maven-plugin-api:3.0 -> 3.0.5
|    |    |    +--- org.apache.maven:maven-model:3.0.5
|    |    |    |    \--- org.codehaus.plexus:plexus-utils:2.0.6 -> 3.4.1
|    |    |    +--- org.apache.maven:maven-artifact:3.0.5
|    |    |    |    \--- org.codehaus.plexus:plexus-utils:2.0.6 -> 3.4.1
|    |    |    \--- org.sonatype.sisu:sisu-inject-plexus:2.3.0
|    |    |         +--- org.codehaus.plexus:plexus-component-annotations:1.5.5 -> 2.0.0
|    |    |         +--- org.codehaus.plexus:plexus-classworlds:2.4
|    |    |         +--- org.codehaus.plexus:plexus-utils:2.1 -> 3.4.1
|    |    |         \--- org.sonatype.sisu:sisu-inject-bean:2.3.0
|    |    |              \--- org.sonatype.sisu:sisu-guice:3.1.0
|    |    |                   \--- org.sonatype.sisu:sisu-guava:0.9.9

It would be nice to see what led to it being in the project right from the HTML report.

[jeremylong]

I completely agree - this is something on the list for both the gradle and maven plugin. Best we've done so far is a hackish solution for Maven: https://gist.github.com/jeremylong/ec5d496f64fc5bba6d47b2524a40ce3f

The above gist could be modified to account for the ./gradlew -q dependencies

[jeremylong]

We are working on resolving this issue - the update will be included with #283