dependency-check · jeremylong · Oct 13, 2025 · Oct 13, 2025 · Oct 13, 2025 · Oct 13, 2025
diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/extension/DependencyCheckExtension.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/extension/DependencyCheckExtension.groovy
@@ -74,7 +74,9 @@ class DependencyCheckExtension {
     private final ListProperty<String> skipGroups
     private final ListProperty<String> analyzedTypes
     private final Property<Boolean> skip
+
     private final ConfigurableFileCollection scanSet
+    private boolean scanSetConfigured = false
 
     /**
      * The configuration extension for proxy settings.
@@ -386,8 +388,8 @@ class DependencyCheckExtension {
     }
 
     void setFailBuildOnCVSS(Number value) {
-    failBuildOnCVSS.set(value?.floatValue())
-}
+        failBuildOnCVSS.set(value?.floatValue())
+    }
 
     /**
      * Specifies the CVSS score that should be considered a failure when generating a JUNIT formatted report. The default
@@ -400,8 +402,8 @@ class DependencyCheckExtension {
     }
 
     void setJunitFailOnCVSS(Number value) {
-    junitFailOnCVSS.set(value?.floatValue())
-}
+        junitFailOnCVSS.set(value?.floatValue())
+    }
 
     /**
      * Specifies that if any unused suppression rule is found, the build will fail.
@@ -540,13 +542,18 @@ class DependencyCheckExtension {
     }
 
     void setScanSet(List<File> files) {
+        scanSetConfigured = true
         scanSet.setFrom(files)
     }
 
     void setScanSet(File... files) {
+        scanSetConfigured = true
         scanSet.setFrom(files)
     }
 
+    boolean isScanSetConfigured() {
+        scanSetConfigured
+    }
 
     /**
      * Allows programmatic configuration of the proxy extension

diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy
@@ -392,7 +392,7 @@ abstract class AbstractAnalyze extends ConfiguredTask {
     /**
      * Determines if the configuration should be considered a test configuration.
      * @param configuration the configuration to insepct
-     * @return true if the configuration is considered a tet configuration; otherwise false
+     * @return true if the configuration is considered a test configuration; otherwise false
      */
     @groovy.transform.CompileStatic
     boolean isTestConfiguration(Configuration configuration) {
@@ -503,7 +503,7 @@ abstract class AbstractAnalyze extends ConfiguredTask {
                 processConfigV4 project, configuration, engine
             }
         }
-        if (config.scanSet == null) {
+        if (!config.isScanSetConfigured()) {
             List<String> toScan = ['src/main/resources', 'src/main/webapp',
                                    './package.json', './package-lock.json',
                                    './npm-shrinkwrap.json', './yarn.lock',

diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Aggregate.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Aggregate.groovy
@@ -57,10 +57,10 @@ class Aggregate extends AbstractAnalyze {
     private def scanProject(Set<Project> projects, Engine engine) {
         projects.each { Project project ->
             if (shouldBeScanned(project) && !shouldBeSkipped(project)) {
-                if (this.config.scanDependencies) {
+                if (this.config.scanDependencies.get()) {
                     processConfigurations(project, engine)
                 }
-                if (this.config.scanBuildEnv) {
+                if (this.config.scanBuildEnv.get()) {
                     processBuildEnvironment(project, engine)
                 }
             }

diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Analyze.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Analyze.groovy
@@ -46,10 +46,10 @@ class Analyze extends AbstractAnalyze {
     def scanDependencies(Engine engine) {
         if (shouldBeScanned(project) && !shouldBeSkipped(project)) {
             logger.lifecycle("Verifying dependencies for project ${currentProjectName}")
-            if (this.config.scanDependencies) {
+            if (this.config.scanDependencies.get()) {
                 processConfigurations(project, engine)
             }
-            if (this.config.scanBuildEnv) {
+            if (this.config.scanBuildEnv.get()) {
                 processBuildEnvironment(project, engine)
             }
         }

diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Update.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Update.groovy
@@ -56,13 +56,13 @@ class Update extends ConfiguredTask {
             engine.doUpdates()
         } catch (DatabaseException ex) {
             String msg = "Unable to connect to the dependency-check database"
-            if (config.failOnError) {
+            if (config.failOnError.get()) {
                 throw new GradleException(msg, ex)
             } else {
                 logger.error(msg)
             }
         } catch (UpdateException ex) {
-            if (config.failOnError) {
+            if (config.failOnError.get()) {
                 throw new GradleException(ex.getMessage(), ex)
             } else {
                 logger.error(ex.getMessage())