From 402cf0835fe1f968845ac806df8cb90b3a68d7bd Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 13 Oct 2025 07:39:30 -0400 Subject: [PATCH 1/4] fix: convert missed AnalyzerExtension to the property API --- .../gradle/extension/AnalyzerExtension.groovy | 450 ++++++++++++++++-- .../gradle/tasks/ConfiguredTask.groovy | 68 +-- 2 files changed, 448 insertions(+), 70 deletions(-) diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/extension/AnalyzerExtension.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/extension/AnalyzerExtension.groovy index 947f800..5f35dc4 100644 --- a/src/main/groovy/org/owasp/dependencycheck/gradle/extension/AnalyzerExtension.groovy +++ b/src/main/groovy/org/owasp/dependencycheck/gradle/extension/AnalyzerExtension.groovy @@ -20,6 +20,9 @@ package org.owasp.dependencycheck.gradle.extension import org.gradle.api.Action import org.gradle.api.Project import org.gradle.api.model.ObjectFactory +import org.gradle.api.provider.Property +import org.gradle.api.tasks.Input +import org.gradle.api.tasks.Optional import javax.inject.Inject @@ -29,9 +32,80 @@ import javax.inject.Inject @groovy.transform.CompileStatic class AnalyzerExtension { + private final Property experimentalEnabled + private final Property archiveEnabled + private final Property zipExtensions + private final Property jarEnabled + private final Property centralEnabled + private final Property nexusEnabled + private final Property nexusUrl + private final Property nexusUsesProxy + private final Property nuspecEnabled + private final Property assemblyEnabled + private final Property msbuildEnabled + private final Property pathToDotnet + private final Property golangDepEnabled + private final Property golangModEnabled + private final Property pathToGo + private final Property cocoapodsEnabled + private final Property swiftEnabled + private final Property dartEnabled + private final Property swiftPackageResolvedEnabled + private final Property bundleAuditEnabled + private final Property pathToBundleAudit + private final Property pyDistributionEnabled + private final Property pyPackageEnabled + private final Property rubygemsEnabled + private final Property opensslEnabled + private final Property cmakeEnabled + private final Property autoconfEnabled + private final Property composerEnabled + private final Property composerSkipDev + private final Property cpanEnabled + private final Property nodeEnabled + private final Property nodeAuditEnabled + private final Property nugetconfEnabled + private final Property ossIndexEnabled + + Project project; + @Inject AnalyzerExtension(Project project, ObjectFactory objects) { - this.project = project; + this.project = project + this.experimentalEnabled = objects.property(Boolean) + this.archiveEnabled = objects.property(Boolean) + this.zipExtensions = objects.property(String) + this.jarEnabled = objects.property(Boolean) + this.centralEnabled = objects.property(Boolean) + this.nexusEnabled = objects.property(Boolean) + this.nexusUrl = objects.property(String) + this.nexusUsesProxy = objects.property(Boolean) + this.nuspecEnabled = objects.property(Boolean) + this.assemblyEnabled = objects.property(Boolean) + this.msbuildEnabled = objects.property(Boolean) + this.pathToDotnet = objects.property(String) + this.golangDepEnabled = objects.property(Boolean) + this.golangModEnabled = objects.property(Boolean) + this.pathToGo = objects.property(String) + this.cocoapodsEnabled = objects.property(Boolean) + this.swiftEnabled = objects.property(Boolean) + this.dartEnabled = objects.property(Boolean) + this.swiftPackageResolvedEnabled = objects.property(Boolean) + this.bundleAuditEnabled = objects.property(Boolean) + this.pathToBundleAudit = objects.property(String) + this.pyDistributionEnabled = objects.property(Boolean) + this.pyPackageEnabled = objects.property(Boolean) + this.rubygemsEnabled = objects.property(Boolean) + this.opensslEnabled = objects.property(Boolean) + this.cmakeEnabled = objects.property(Boolean) + this.autoconfEnabled = objects.property(Boolean) + this.composerEnabled = objects.property(Boolean) + this.composerSkipDev = objects.property(Boolean) + this.cpanEnabled = objects.property(Boolean) + this.nodeEnabled = objects.property(Boolean) + this.nodeAuditEnabled = objects.property(Boolean) + this.nugetconfEnabled = objects.property(Boolean) + this.ossIndexEnabled = objects.property(Boolean) kev = objects.newInstance(KEVExtension, objects) retirejs = objects.newInstance(RetireJSExtension, objects) nodeAudit = objects.newInstance(NodeAuditExtension, objects) @@ -40,150 +114,454 @@ class AnalyzerExtension { ossIndex = objects.newInstance(OssIndexExtension, objects) } - Project project; /** * Sets whether the experimental analyzers will be used. */ - Boolean experimentalEnabled + @Input + @Optional + Property getExperimentalEnabled() { + return experimentalEnabled + } + + void setExperimentalEnabled(Boolean value) { + experimentalEnabled.set(value) + } + /** * Sets whether the Archive Analyzer will be used. */ - Boolean archiveEnabled + @Input + @Optional + Property getArchiveEnabled() { + return archiveEnabled + } + + void setArchiveEnabled(Boolean value) { + archiveEnabled.set(value) + } + /** * A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. */ - String zipExtensions + @Input + @Optional + Property getZipExtensions() { + return zipExtensions + } + + void setZipExtensions(String value) { + zipExtensions.set(value) + } + /** * Sets whether Jar Analyzer will be used. */ - Boolean jarEnabled + @Input + @Optional + Property getJarEnabled() { + return jarEnabled + } + + void setJarEnabled(Boolean value) { + jarEnabled.set(value) + } + /** * Sets whether Central Analyzer will be used. If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer (see below). */ - Boolean centralEnabled + @Input + @Optional + Property getCentralEnabled() { + return centralEnabled + } + + void setCentralEnabled(Boolean value) { + centralEnabled.set(value) + } + /** * Sets whether Nexus Analyzer will be used. This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. */ - Boolean nexusEnabled + @Input + @Optional + Property getNexusEnabled() { + return nexusEnabled + } + + void setNexusEnabled(Boolean value) { + nexusEnabled.set(value) + } + /** * Defines the Nexus Server's web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled. */ - String nexusUrl + @Input + @Optional + Property getNexusUrl() { + return nexusUrl + } + + void setNexusUrl(String value) { + nexusUrl.set(value) + } + /** * whether the defined proxy should be used when connecting to Nexus. */ - Boolean nexusUsesProxy + @Input + @Optional + Property getNexusUsesProxy() { + return nexusUsesProxy + } + + void setNexusUsesProxy(Boolean value) { + nexusUsesProxy.set(value) + } + /** * Sets whether the .NET Nuget Nuspec Analyzer will be used. */ - Boolean nuspecEnabled + @Input + @Optional + Property getNuspecEnabled() { + return nuspecEnabled + } + + void setNuspecEnabled(Boolean value) { + nuspecEnabled.set(value) + } + /** * Sets whether the .NET Assembly Analyzer should be used. */ - Boolean assemblyEnabled + @Input + @Optional + Property getAssemblyEnabled() { + return assemblyEnabled + } + + void setAssemblyEnabled(Boolean value) { + assemblyEnabled.set(value) + } + /** * Sets whether the MS Build Analyzer should be used. */ - Boolean msbuildEnabled + @Input + @Optional + Property getMsbuildEnabled() { + return msbuildEnabled + } + + void setMsbuildEnabled(Boolean value) { + msbuildEnabled.set(value) + } + /** * The path to dotnet core - used to analyze dot net assemblies. */ - String pathToDotnet + @Input + @Optional + Property getPathToDotnet() { + return pathToDotnet + } + + void setPathToDotnet(String value) { + pathToDotnet.set(value) + } + /** * Sets whether the Golang Dependency analyzer is enabled. Default is true. */ - Boolean golangDepEnabled + @Input + @Optional + Property getGolangDepEnabled() { + return golangDepEnabled + } + + void setGolangDepEnabled(Boolean value) { + golangDepEnabled.set(value) + } + /** * Sets whether Golang Module Analyzer is enabled; this requires `go` to be * installed. Default is true. */ - Boolean golangModEnabled + @Input + @Optional + Property getGolangModEnabled() { + return golangModEnabled + } + + void setGolangModEnabled(Boolean value) { + golangModEnabled.set(value) + } + /** * The path to `go` - used to analyze go modules via `go mod`. */ - String pathToGo + @Input + @Optional + Property getPathToGo() { + return pathToGo + } + + void setPathToGo(String value) { + pathToGo.set(value) + } + /** * Sets whether the cocoapods analyzer is enabled. */ - Boolean cocoapodsEnabled + @Input + @Optional + Property getCocoapodsEnabled() { + return cocoapodsEnabled + } + + void setCocoapodsEnabled(Boolean value) { + cocoapodsEnabled.set(value) + } + /** * Sets whether the swift package manager analyzer is enabled. */ - Boolean swiftEnabled + @Input + @Optional + Property getSwiftEnabled() { + return swiftEnabled + } + + void setSwiftEnabled(Boolean value) { + swiftEnabled.set(value) + } + /** * Sets whether the swift package manager analyzer is enabled. */ - Boolean dartEnabled + @Input + @Optional + Property getDartEnabled() { + return dartEnabled + } + + void setDartEnabled(Boolean value) { + dartEnabled.set(value) + } + /** * Sets whether the swift package resolved analyzer is enabled. */ - Boolean swiftPackageResolvedEnabled + @Input + @Optional + Property getSwiftPackageResolvedEnabled() { + return swiftPackageResolvedEnabled + } + + void setSwiftPackageResolvedEnabled(Boolean value) { + swiftPackageResolvedEnabled.set(value) + } + /** * Sets whether the Ruby Bundle Audit analyzer is enabled; requires running bundle audit. */ - Boolean bundleAuditEnabled + @Input + @Optional + Property getBundleAuditEnabled() { + return bundleAuditEnabled + } + + void setBundleAuditEnabled(Boolean value) { + bundleAuditEnabled.set(value) + } + /** * The path to Ruby's bundle audit. */ - String pathToBundleAudit + @Input + @Optional + Property getPathToBundleAudit() { + return pathToBundleAudit + } + + void setPathToBundleAudit(String value) { + pathToBundleAudit.set(value) + } + /** * Sets whether the Python Distribution Analyzer will be used. */ - Boolean pyDistributionEnabled + @Input + @Optional + Property getPyDistributionEnabled() { + return pyDistributionEnabled + } + + void setPyDistributionEnabled(Boolean value) { + pyDistributionEnabled.set(value) + } + /** * Sets whether the Python Package Analyzer will be used. */ - Boolean pyPackageEnabled + @Input + @Optional + Property getPyPackageEnabled() { + return pyPackageEnabled + } + + void setPyPackageEnabled(Boolean value) { + pyPackageEnabled.set(value) + } + /** * Sets whether the Ruby Gemspec Analyzer will be used. */ - Boolean rubygemsEnabled + @Input + @Optional + Property getRubygemsEnabled() { + return rubygemsEnabled + } + + void setRubygemsEnabled(Boolean value) { + rubygemsEnabled.set(value) + } + /** * Sets whether the openssl Analyzer should be used. */ - Boolean opensslEnabled + @Input + @Optional + Property getOpensslEnabled() { + return opensslEnabled + } + + void setOpensslEnabled(Boolean value) { + opensslEnabled.set(value) + } + /** * Sets whether the CMake Analyzer should be used. */ - Boolean cmakeEnabled + @Input + @Optional + Property getCmakeEnabled() { + return cmakeEnabled + } + + void setCmakeEnabled(Boolean value) { + cmakeEnabled.set(value) + } + /** * Sets whether the autoconf Analyzer should be used. */ - Boolean autoconfEnabled + @Input + @Optional + Property getAutoconfEnabled() { + return autoconfEnabled + } + + void setAutoconfEnabled(Boolean value) { + autoconfEnabled.set(value) + } + /** * Sets whether the PHP Composer Lock File Analyzer should be used. */ - Boolean composerEnabled + @Input + @Optional + Property getComposerEnabled() { + return composerEnabled + } + + void setComposerEnabled(Boolean value) { + composerEnabled.set(value) + } + /** * Sets whether the PHP Composer Lock File Analyzer should skip packages-dev dependencies. */ - Boolean composerSkipDev + @Input + @Optional + Property getComposerSkipDev() { + return composerSkipDev + } + + void setComposerSkipDev(Boolean value) { + composerSkipDev.set(value) + } + /** * Sets whether the Perl CPAN File Analyzer should be used. */ - Boolean cpanEnabled + @Input + @Optional + Property getCpanEnabled() { + return cpanEnabled + } + + void setCpanEnabled(Boolean value) { + cpanEnabled.set(value) + } + /** * Sets whether the Node.js Analyzer should be used. * @deprecated Use nodePackage { enabled = true } */ + @Input + @Optional @Deprecated - Boolean nodeEnabled + Property getNodeEnabled() { + return nodeEnabled + } + + void setNodeEnabled(Boolean value) { + nodeEnabled.set(value) + } + /** * Sets whether the NSP Analyzer should be used. * @deprecated As of the 5.2.5 - please use nodeAudit { enabled = true } */ + @Input + @Optional @Deprecated - Boolean nodeAuditEnabled + Property getNodeAuditEnabled() { + return nodeAuditEnabled + } + + void setNodeAuditEnabled(Boolean value) { + nodeAuditEnabled.set(value) + } + /** * Sets whether the Nuget packages.config Configuration Analyzer should be used. */ - Boolean nugetconfEnabled + @Input + @Optional + Property getNugetconfEnabled() { + return nugetconfEnabled + } + + void setNugetconfEnabled(Boolean value) { + nugetconfEnabled.set(value) + } + /** * Sets whether the OSS Index Analyzer should be used. * @deprecated As of the 5.0.1 - please use ossIndex { enabled = true } */ + @Input + @Optional @Deprecated - Boolean ossIndexEnabled + Property getOssIndexEnabled() { + return ossIndexEnabled + } + + void setOssIndexEnabled(Boolean value) { + ossIndexEnabled.set(value) + } /** * The configuration extension for known exploited vulnerabilities settings. diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/ConfiguredTask.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/ConfiguredTask.groovy index 6212ffe..6417aae 100644 --- a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/ConfiguredTask.groovy +++ b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/ConfiguredTask.groovy @@ -121,58 +121,58 @@ abstract class ConfiguredTask extends DefaultTask { throw new InvalidUserDataException('Invalid setting: `validForHours` must be 0 or greater') } } - settings.setBooleanIfNotNull(ANALYZER_JAR_ENABLED, config.analyzers.jarEnabled) - settings.setBooleanIfNotNull(ANALYZER_NUSPEC_ENABLED, config.analyzers.nuspecEnabled) - settings.setBooleanIfNotNull(ANALYZER_OSSINDEX_ENABLED, select(config.analyzers.ossIndex.enabled.getOrNull(), config.analyzers.ossIndexEnabled)) + settings.setBooleanIfNotNull(ANALYZER_JAR_ENABLED, config.analyzers.jarEnabled.getOrNull()) + settings.setBooleanIfNotNull(ANALYZER_NUSPEC_ENABLED, config.analyzers.nuspecEnabled.getOrNull()) + settings.setBooleanIfNotNull(ANALYZER_OSSINDEX_ENABLED, select(config.analyzers.ossIndex.enabled.getOrNull(), config.analyzers.ossIndexEnabled.getOrNull())) settings.setBooleanIfNotNull(ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, config.analyzers.ossIndex.warnOnlyOnRemoteErrors.getOrNull()) settings.setBooleanIfNotNull(ANALYZER_OSSINDEX_ENABLED, config.analyzers.ossIndex.enabled.getOrNull()) settings.setStringIfNotEmpty(ANALYZER_OSSINDEX_USER, config.analyzers.ossIndex.username.getOrNull()) settings.setStringIfNotEmpty(ANALYZER_OSSINDEX_PASSWORD, config.analyzers.ossIndex.password.getOrNull()) settings.setStringIfNotEmpty(ANALYZER_OSSINDEX_URL, config.analyzers.ossIndex.url.getOrNull()) - settings.setBooleanIfNotNull(ANALYZER_CENTRAL_ENABLED, config.analyzers.centralEnabled) + settings.setBooleanIfNotNull(ANALYZER_CENTRAL_ENABLED, config.analyzers.centralEnabled.getOrNull()) - settings.setBooleanIfNotNull(ANALYZER_NEXUS_ENABLED, config.analyzers.nexusEnabled) - settings.setStringIfNotEmpty(ANALYZER_NEXUS_URL, config.analyzers.nexusUrl) - settings.setBooleanIfNotNull(ANALYZER_NEXUS_USES_PROXY, config.analyzers.nexusUsesProxy) + settings.setBooleanIfNotNull(ANALYZER_NEXUS_ENABLED, config.analyzers.nexusEnabled.getOrNull()) + settings.setStringIfNotEmpty(ANALYZER_NEXUS_URL, config.analyzers.nexusUrl.getOrNull()) + settings.setBooleanIfNotNull(ANALYZER_NEXUS_USES_PROXY, config.analyzers.nexusUsesProxy.getOrNull()) - settings.setBooleanIfNotNull(ANALYZER_EXPERIMENTAL_ENABLED, config.analyzers.experimentalEnabled) - settings.setBooleanIfNotNull(ANALYZER_ARCHIVE_ENABLED, config.analyzers.archiveEnabled) + settings.setBooleanIfNotNull(ANALYZER_EXPERIMENTAL_ENABLED, config.analyzers.experimentalEnabled.getOrNull()) + settings.setBooleanIfNotNull(ANALYZER_ARCHIVE_ENABLED, config.analyzers.archiveEnabled.getOrNull()) settings.setBooleanIfNotNull(ANALYZER_KNOWN_EXPLOITED_ENABLED, config.analyzers.kev.enabled.getOrNull()) settings.setStringIfNotNull(KEV_URL, config.analyzers.kev.url.getOrNull()) settings.setIntIfNotNull(KEV_CHECK_VALID_FOR_HOURS, config.analyzers.kev.validForHours.getOrNull()) settings.setStringIfNotNull(KEV_USER, config.analyzers.kev.user.getOrNull()) settings.setStringIfNotNull(KEV_PASSWORD, config.analyzers.kev.password.getOrNull()) settings.setStringIfNotNull(KEV_BEARER_TOKEN, config.analyzers.kev.bearerToken.getOrNull()) - settings.setStringIfNotEmpty(ADDITIONAL_ZIP_EXTENSIONS, config.analyzers.zipExtensions) - settings.setBooleanIfNotNull(ANALYZER_ASSEMBLY_ENABLED, config.analyzers.assemblyEnabled) - settings.setBooleanIfNotNull(ANALYZER_MSBUILD_PROJECT_ENABLED, config.analyzers.msbuildEnabled) - settings.setStringIfNotEmpty(ANALYZER_ASSEMBLY_DOTNET_PATH, config.analyzers.pathToDotnet) - settings.setBooleanIfNotNull(ANALYZER_GOLANG_DEP_ENABLED, config.analyzers.golangDepEnabled) - settings.setBooleanIfNotNull(ANALYZER_GOLANG_MOD_ENABLED, config.analyzers.golangModEnabled) - settings.setStringIfNotNull(ANALYZER_GOLANG_PATH, config.analyzers.pathToGo) + settings.setStringIfNotEmpty(ADDITIONAL_ZIP_EXTENSIONS, config.analyzers.zipExtensions.getOrNull()) + settings.setBooleanIfNotNull(ANALYZER_ASSEMBLY_ENABLED, config.analyzers.assemblyEnabled.getOrNull()) + settings.setBooleanIfNotNull(ANALYZER_MSBUILD_PROJECT_ENABLED, config.analyzers.msbuildEnabled.getOrNull()) + settings.setStringIfNotEmpty(ANALYZER_ASSEMBLY_DOTNET_PATH, config.analyzers.pathToDotnet.getOrNull()) + settings.setBooleanIfNotNull(ANALYZER_GOLANG_DEP_ENABLED, config.analyzers.golangDepEnabled.getOrNull()) + settings.setBooleanIfNotNull(ANALYZER_GOLANG_MOD_ENABLED, config.analyzers.golangModEnabled.getOrNull()) + settings.setStringIfNotNull(ANALYZER_GOLANG_PATH, config.analyzers.pathToGo.getOrNull()) - settings.setBooleanIfNotNull(ANALYZER_COCOAPODS_ENABLED, config.analyzers.cocoapodsEnabled) - settings.setBooleanIfNotNull(ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED, config.analyzers.swiftEnabled) - settings.setBooleanIfNotNull(ANALYZER_DART_ENABLED, config.analyzers.dartEnabled) - settings.setBooleanIfNotNull(ANALYZER_SWIFT_PACKAGE_RESOLVED_ENABLED, config.analyzers.swiftPackageResolvedEnabled) - settings.setBooleanIfNotNull(ANALYZER_BUNDLE_AUDIT_ENABLED, config.analyzers.bundleAuditEnabled) - settings.setStringIfNotEmpty(ANALYZER_BUNDLE_AUDIT_PATH, config.analyzers.pathToBundleAudit) + settings.setBooleanIfNotNull(ANALYZER_COCOAPODS_ENABLED, config.analyzers.cocoapodsEnabled.getOrNull()) + settings.setBooleanIfNotNull(ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED, config.analyzers.swiftEnabled.getOrNull()) + settings.setBooleanIfNotNull(ANALYZER_DART_ENABLED, config.analyzers.dartEnabled.getOrNull()) + settings.setBooleanIfNotNull(ANALYZER_SWIFT_PACKAGE_RESOLVED_ENABLED, config.analyzers.swiftPackageResolvedEnabled.getOrNull()) + settings.setBooleanIfNotNull(ANALYZER_BUNDLE_AUDIT_ENABLED, config.analyzers.bundleAuditEnabled.getOrNull()) + settings.setStringIfNotEmpty(ANALYZER_BUNDLE_AUDIT_PATH, config.analyzers.pathToBundleAudit.getOrNull()) - settings.setBooleanIfNotNull(ANALYZER_PYTHON_DISTRIBUTION_ENABLED, config.analyzers.pyDistributionEnabled) - settings.setBooleanIfNotNull(ANALYZER_PYTHON_PACKAGE_ENABLED, config.analyzers.pyPackageEnabled) - settings.setBooleanIfNotNull(ANALYZER_RUBY_GEMSPEC_ENABLED, config.analyzers.rubygemsEnabled) - settings.setBooleanIfNotNull(ANALYZER_OPENSSL_ENABLED, config.analyzers.opensslEnabled) - settings.setBooleanIfNotNull(ANALYZER_CMAKE_ENABLED, config.analyzers.cmakeEnabled) - settings.setBooleanIfNotNull(ANALYZER_AUTOCONF_ENABLED, config.analyzers.autoconfEnabled) - settings.setBooleanIfNotNull(ANALYZER_COMPOSER_LOCK_ENABLED, config.analyzers.composerEnabled) - settings.setBooleanIfNotNull(ANALYZER_COMPOSER_LOCK_SKIP_DEV, config.analyzers.composerSkipDev) - settings.setBooleanIfNotNull(ANALYZER_CPANFILE_ENABLED, config.analyzers.cpanEnabled) - settings.setBooleanIfNotNull(ANALYZER_NUGETCONF_ENABLED, config.analyzers.nugetconfEnabled) + settings.setBooleanIfNotNull(ANALYZER_PYTHON_DISTRIBUTION_ENABLED, config.analyzers.pyDistributionEnabled.getOrNull()) + settings.setBooleanIfNotNull(ANALYZER_PYTHON_PACKAGE_ENABLED, config.analyzers.pyPackageEnabled.getOrNull()) + settings.setBooleanIfNotNull(ANALYZER_RUBY_GEMSPEC_ENABLED, config.analyzers.rubygemsEnabled.getOrNull()) + settings.setBooleanIfNotNull(ANALYZER_OPENSSL_ENABLED, config.analyzers.opensslEnabled.getOrNull()) + settings.setBooleanIfNotNull(ANALYZER_CMAKE_ENABLED, config.analyzers.cmakeEnabled.getOrNull()) + settings.setBooleanIfNotNull(ANALYZER_AUTOCONF_ENABLED, config.analyzers.autoconfEnabled.getOrNull()) + settings.setBooleanIfNotNull(ANALYZER_COMPOSER_LOCK_ENABLED, config.analyzers.composerEnabled.getOrNull()) + settings.setBooleanIfNotNull(ANALYZER_COMPOSER_LOCK_SKIP_DEV, config.analyzers.composerSkipDev.getOrNull()) + settings.setBooleanIfNotNull(ANALYZER_CPANFILE_ENABLED, config.analyzers.cpanEnabled.getOrNull()) + settings.setBooleanIfNotNull(ANALYZER_NUGETCONF_ENABLED, config.analyzers.nugetconfEnabled.getOrNull()) - settings.setBooleanIfNotNull(ANALYZER_NODE_PACKAGE_ENABLED, select(config.analyzers.nodePackage.enabled.getOrNull(), config.analyzers.nodeEnabled)) + settings.setBooleanIfNotNull(ANALYZER_NODE_PACKAGE_ENABLED, select(config.analyzers.nodePackage.enabled.getOrNull(), config.analyzers.nodeEnabled.getOrNull())) settings.setBooleanIfNotNull(ANALYZER_NODE_PACKAGE_SKIPDEV, config.analyzers.nodePackage.skipDevDependencies.getOrNull()) - settings.setBooleanIfNotNull(ANALYZER_NODE_AUDIT_ENABLED, select(config.analyzers.nodeAudit.enabled.getOrNull(), config.analyzers.nodeAuditEnabled)) + settings.setBooleanIfNotNull(ANALYZER_NODE_AUDIT_ENABLED, select(config.analyzers.nodeAudit.enabled.getOrNull(), config.analyzers.nodeAuditEnabled.getOrNull())) settings.setBooleanIfNotNull(ANALYZER_NODE_AUDIT_USE_CACHE, config.analyzers.nodeAudit.useCache.getOrNull()) settings.setBooleanIfNotNull(ANALYZER_NODE_AUDIT_SKIPDEV, config.analyzers.nodeAudit.skipDevDependencies.getOrNull()) settings.setStringIfNotEmpty(ANALYZER_NODE_AUDIT_URL, config.analyzers.nodeAudit.url.getOrNull()) From 08e46ff4421523785acc3e2de5578bba4a78d6a8 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 13 Oct 2025 08:31:49 -0400 Subject: [PATCH 2/4] fix: add @OutputDirectory for eventual caching support --- .../gradle/DependencyCheckPlugin.groovy | 6 ++++++ .../gradle/tasks/AbstractAnalyze.groovy | 18 +++++++++++++++++- .../gradle/tasks/Aggregate.groovy | 7 ++++++- .../gradle/tasks/Analyze.groovy | 7 ++++++- 4 files changed, 35 insertions(+), 3 deletions(-) diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/DependencyCheckPlugin.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/DependencyCheckPlugin.groovy index b065629..c39a70d 100644 --- a/src/main/groovy/org/owasp/dependencycheck/gradle/DependencyCheckPlugin.groovy +++ b/src/main/groovy/org/owasp/dependencycheck/gradle/DependencyCheckPlugin.groovy @@ -25,6 +25,7 @@ import org.gradle.api.Plugin import org.gradle.api.Project import org.gradle.util.GradleVersion import org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension +import org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze import org.owasp.dependencycheck.gradle.tasks.Aggregate import org.owasp.dependencycheck.gradle.tasks.Analyze import org.owasp.dependencycheck.gradle.tasks.Purge @@ -76,6 +77,11 @@ class DependencyCheckPlugin implements Plugin { project.task(ANALYZE_TASK, type: Analyze) project.task(AGGREGATE_TASK, type: Aggregate) } + + def ext = project.extensions.getByType(DependencyCheckExtension) + project.tasks.withType(AbstractAnalyze).configureEach { t -> + t.outputDir.convention(ext.outputDirectory) + } } void checkGradleVersion(Project project) { diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy index c4980d4..1a51802 100644 --- a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy +++ b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy @@ -32,10 +32,13 @@ import org.gradle.api.artifacts.result.DependencyResult import org.gradle.api.artifacts.result.ResolvedArtifactResult import org.gradle.api.artifacts.result.ResolvedComponentResult import org.gradle.api.artifacts.result.ResolvedDependencyResult +import org.gradle.api.file.DirectoryProperty +import org.gradle.api.model.ObjectFactory import org.gradle.maven.MavenModule import org.gradle.maven.MavenPomArtifact import org.gradle.api.attributes.Attribute import org.gradle.api.tasks.Internal +import org.gradle.api.tasks.OutputDirectory import org.gradle.api.tasks.TaskAction import org.gradle.util.GradleVersion import org.owasp.dependencycheck.Engine @@ -55,6 +58,8 @@ import org.owasp.dependencycheck.utils.Checksum import org.owasp.dependencycheck.xml.pom.PomUtils import us.springett.parsers.cpe.CpeParser +import javax.inject.Inject + import static org.owasp.dependencycheck.dependency.EvidenceType.PRODUCT import static org.owasp.dependencycheck.dependency.EvidenceType.VENDOR import static org.owasp.dependencycheck.reporting.ReportGenerator.Format @@ -76,6 +81,17 @@ abstract class AbstractAnalyze extends ConfiguredTask { private final Map pomCache = new HashMap<>() + /** + * The output directory for the dependency-check reports. + */ + @OutputDirectory + final DirectoryProperty outputDir + + @Inject + AbstractAnalyze(ObjectFactory objects) { + outputDir = objects.directoryProperty() + } + /** * Calls dependency-check-core's analysis engine to scan * all of the projects dependencies. @@ -121,7 +137,7 @@ abstract class AbstractAnalyze extends ConfiguredTask { String displayName = determineDisplayName() String groupId = project.getGroup() String version = project.getVersion().toString() - File output = config.outputDirectory.get().asFile + File output = outputDir.get().asFile for (String f : getReportFormats(config.format.get(), config.formats.get())) { engine.writeReports(displayName, groupId, name, version, output, f, exCol) } diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Aggregate.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Aggregate.groovy index 5691080..0fe3c48 100644 --- a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Aggregate.groovy +++ b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Aggregate.groovy @@ -19,16 +19,21 @@ package org.owasp.dependencycheck.gradle.tasks import org.gradle.api.Project +import org.gradle.api.model.ObjectFactory import org.owasp.dependencycheck.Engine import org.owasp.dependencycheck.gradle.DependencyCheckPlugin +import javax.inject.Inject + /** * Checks the projects dependencies for known vulnerabilities. */ @groovy.transform.CompileStatic class Aggregate extends AbstractAnalyze { - Aggregate() { + @Inject + Aggregate(ObjectFactory objects) { + super(objects) group = 'OWASP dependency-check' description = 'Identifies and reports known vulnerabilities (CVEs) in multi-project dependencies.' diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Analyze.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Analyze.groovy index b4645be..f14617f 100644 --- a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Analyze.groovy +++ b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Analyze.groovy @@ -18,15 +18,20 @@ package org.owasp.dependencycheck.gradle.tasks +import org.gradle.api.model.ObjectFactory import org.owasp.dependencycheck.Engine +import javax.inject.Inject + /** * Checks the projects dependencies for known vulnerabilities. */ @groovy.transform.CompileStatic class Analyze extends AbstractAnalyze { - Analyze() { + @Inject + Analyze(ObjectFactory objects) { + super(objects) group = 'OWASP dependency-check' description = 'Identifies and reports known vulnerabilities (CVEs) in project dependencies.' From f30ba85b0d6498a5b6a723c7da53355cb014d11b Mon Sep 17 00:00:00 2001 From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com> Date: Mon, 13 Oct 2025 22:31:08 +0800 Subject: [PATCH 3/4] fix: correct file type analyzer default configuration (#477) Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com> --- .../extension/DependencyCheckExtension.groovy | 15 +++++++++++---- .../gradle/tasks/AbstractAnalyze.groovy | 4 ++-- .../dependencycheck/gradle/tasks/Aggregate.groovy | 4 ++-- .../dependencycheck/gradle/tasks/Analyze.groovy | 4 ++-- .../dependencycheck/gradle/tasks/Update.groovy | 4 ++-- 5 files changed, 19 insertions(+), 12 deletions(-) diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/extension/DependencyCheckExtension.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/extension/DependencyCheckExtension.groovy index c58488a..d6c5695 100644 --- a/src/main/groovy/org/owasp/dependencycheck/gradle/extension/DependencyCheckExtension.groovy +++ b/src/main/groovy/org/owasp/dependencycheck/gradle/extension/DependencyCheckExtension.groovy @@ -74,7 +74,9 @@ class DependencyCheckExtension { private final ListProperty skipGroups private final ListProperty analyzedTypes private final Property skip + private final ConfigurableFileCollection scanSet + private boolean scanSetConfigured = false /** * The configuration extension for proxy settings. @@ -386,8 +388,8 @@ class DependencyCheckExtension { } void setFailBuildOnCVSS(Number value) { - failBuildOnCVSS.set(value?.floatValue()) -} + failBuildOnCVSS.set(value?.floatValue()) + } /** * Specifies the CVSS score that should be considered a failure when generating a JUNIT formatted report. The default @@ -400,8 +402,8 @@ class DependencyCheckExtension { } void setJunitFailOnCVSS(Number value) { - junitFailOnCVSS.set(value?.floatValue()) -} + junitFailOnCVSS.set(value?.floatValue()) + } /** * Specifies that if any unused suppression rule is found, the build will fail. @@ -540,13 +542,18 @@ class DependencyCheckExtension { } void setScanSet(List files) { + scanSetConfigured = true scanSet.setFrom(files) } void setScanSet(File... files) { + scanSetConfigured = true scanSet.setFrom(files) } + boolean isScanSetConfigured() { + scanSetConfigured + } /** * Allows programmatic configuration of the proxy extension diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy index 1a51802..36193b0 100644 --- a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy +++ b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy @@ -392,7 +392,7 @@ abstract class AbstractAnalyze extends ConfiguredTask { /** * Determines if the configuration should be considered a test configuration. * @param configuration the configuration to insepct - * @return true if the configuration is considered a tet configuration; otherwise false + * @return true if the configuration is considered a test configuration; otherwise false */ @groovy.transform.CompileStatic boolean isTestConfiguration(Configuration configuration) { @@ -503,7 +503,7 @@ abstract class AbstractAnalyze extends ConfiguredTask { processConfigV4 project, configuration, engine } } - if (config.scanSet == null) { + if (!config.isScanSetConfigured()) { List toScan = ['src/main/resources', 'src/main/webapp', './package.json', './package-lock.json', './npm-shrinkwrap.json', './yarn.lock', diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Aggregate.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Aggregate.groovy index 0fe3c48..2d649bb 100644 --- a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Aggregate.groovy +++ b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Aggregate.groovy @@ -57,10 +57,10 @@ class Aggregate extends AbstractAnalyze { private def scanProject(Set projects, Engine engine) { projects.each { Project project -> if (shouldBeScanned(project) && !shouldBeSkipped(project)) { - if (this.config.scanDependencies) { + if (this.config.scanDependencies.get()) { processConfigurations(project, engine) } - if (this.config.scanBuildEnv) { + if (this.config.scanBuildEnv.get()) { processBuildEnvironment(project, engine) } } diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Analyze.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Analyze.groovy index f14617f..1c0a042 100644 --- a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Analyze.groovy +++ b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Analyze.groovy @@ -46,10 +46,10 @@ class Analyze extends AbstractAnalyze { def scanDependencies(Engine engine) { if (shouldBeScanned(project) && !shouldBeSkipped(project)) { logger.lifecycle("Verifying dependencies for project ${currentProjectName}") - if (this.config.scanDependencies) { + if (this.config.scanDependencies.get()) { processConfigurations(project, engine) } - if (this.config.scanBuildEnv) { + if (this.config.scanBuildEnv.get()) { processBuildEnvironment(project, engine) } } diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Update.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Update.groovy index e941df4..45e4741 100644 --- a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Update.groovy +++ b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Update.groovy @@ -56,13 +56,13 @@ class Update extends ConfiguredTask { engine.doUpdates() } catch (DatabaseException ex) { String msg = "Unable to connect to the dependency-check database" - if (config.failOnError) { + if (config.failOnError.get()) { throw new GradleException(msg, ex) } else { logger.error(msg) } } catch (UpdateException ex) { - if (config.failOnError) { + if (config.failOnError.get()) { throw new GradleException(ex.getMessage(), ex) } else { logger.error(ex.getMessage()) From f0297c51a1094ca9decd0da3aab323b483282ba5 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 13 Oct 2025 16:05:38 -0400 Subject: [PATCH 4/4] fix: simplify configuration per peer review --- .../dependencycheck/gradle/DependencyCheckPlugin.groovy | 5 ----- .../dependencycheck/gradle/tasks/AbstractAnalyze.groovy | 3 +-- 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/DependencyCheckPlugin.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/DependencyCheckPlugin.groovy index c39a70d..823efb3 100644 --- a/src/main/groovy/org/owasp/dependencycheck/gradle/DependencyCheckPlugin.groovy +++ b/src/main/groovy/org/owasp/dependencycheck/gradle/DependencyCheckPlugin.groovy @@ -77,11 +77,6 @@ class DependencyCheckPlugin implements Plugin { project.task(ANALYZE_TASK, type: Analyze) project.task(AGGREGATE_TASK, type: Aggregate) } - - def ext = project.extensions.getByType(DependencyCheckExtension) - project.tasks.withType(AbstractAnalyze).configureEach { t -> - t.outputDir.convention(ext.outputDirectory) - } } void checkGradleVersion(Project project) { diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy index 36193b0..1ec588c 100644 --- a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy +++ b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy @@ -89,7 +89,7 @@ abstract class AbstractAnalyze extends ConfiguredTask { @Inject AbstractAnalyze(ObjectFactory objects) { - outputDir = objects.directoryProperty() + outputDir = objects.directoryProperty().convention(config.outputDirectory) } /** @@ -192,7 +192,6 @@ abstract class AbstractAnalyze extends ConfiguredTask { } } - /** * Combines the configured suppressionFile and suppressionFiles into a * single array.