boxheed / gradle-osv-scanner-plugin Goto Github PK

Add support for 1.7.4

See release notes for changes

It should be possible to specify a pre-installed binary that if specified overrides the defaults

Currently the task fails based on the output from osv-scanner. It should be possible to define a measure that will define whether a build fails or not. This could include the following but may not be limited to:

• The number of vulnerabilities
• The severity of the vulnerabilities

The plugin should generate a report in json format

Create the outline of a gradle plugin project

osv-scanner depends on a gradle lock file, not all projects are configured to generate such a file. It could be possible to obtain the resolved dependencies without a lock file and use that to call the osv api directly.

Support this as a mode

osv-scanner supports a suppressions file. Currently this supports a suppressions file in the directory. It is possible to set an alternate configuration file using the --config flag. the plugin should support this as a first class parameter. Currently this can be set using the flags field
https://google.github.io/osv-scanner/configuration/

Just had a little trouble with getting to start using the plugin.

Suggest to add gradlePlguinPortal() into pluginManagement inside settings.gradle.kts

pluginManagement {
    repositories {
        gradlePluginPortal()
        google()
        mavenCentral()
    }
}

Thereafter in build.gradle.kts we can add the plugin:

plugins {
    id("com.fizzpod.osv-scanner") version "3.0.7"
}

The other suggested repositories to add didn't work or not clear enough where to put it. Resulting in errors like:
Could not find com.fizzpod:gradle-osv-scanner-plugin

As lockfiles rely on a configuration it would be good if the plugin could optionally create that.

The plugin should ship with the latest version of OSV Scanner

--experimental-licenses-summary is a flag to generate licence summary data

osv-scanner supports specifying an SBOM file with the --sbom command line parameter. The plugin should support that as a mode

Dependency Check outputs a file in a format that Sonar understands it would be good for this plugin to produce the same report format.

osv-scanner supports specifying the lock files on the commandline, its should be possible to support --lockfile as a mode

The plugin should re-use the osv-scanner that it has already downloaded.

Behaviour

• The plugin should track the binaries it has downloaded
• If 'latest' is specified it should have a ttl for the binary before updating it

Considerations

• The binaries should live in versioned subfolders probably bin/<version>/osv-scanner
• The latest folder should have a marker file specifying the version number of the latest bin/latest/version.txt to point to the specific binary
• The TTL should be based on the date of the marker file
• The TTL should be configurable but default to 24 hours
• If the version hasn't changed then it shouldn't re-download
• Consider whether the binaries be cached in the build directory or in a .osv-scanner directory in the project root
• Allow the cache directory to be configurable