boxheed / gradle-osv-scanner-plugin Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
Add support for 1.7.4
See release notes for changes
It should be possible to specify a pre-installed binary that if specified overrides the defaults
Currently the task fails based on the output from osv-scanner. It should be possible to define a measure that will define whether a build fails or not. This could include the following but may not be limited to:
The plugin should generate a report in json format
Create the outline of a gradle plugin project
osv-scanner depends on a gradle lock file, not all projects are configured to generate such a file. It could be possible to obtain the resolved dependencies without a lock file and use that to call the osv api directly.
Support this as a mode
osv-scanner supports a suppressions file. Currently this supports a suppressions file in the directory. It is possible to set an alternate configuration file using the --config flag. the plugin should support this as a first class parameter. Currently this can be set using the flags
field
https://google.github.io/osv-scanner/configuration/
Just had a little trouble with getting to start using the plugin.
Suggest to add gradlePlguinPortal()
into pluginManagement
inside settings.gradle.kts
pluginManagement {
repositories {
gradlePluginPortal()
google()
mavenCentral()
}
}
Thereafter in build.gradle.kts
we can add the plugin:
plugins {
id("com.fizzpod.osv-scanner") version "3.0.7"
}
The other suggested repositories to add didn't work or not clear enough where to put it. Resulting in errors like:
Could not find com.fizzpod:gradle-osv-scanner-plugin
As lockfiles rely on a configuration it would be good if the plugin could optionally create that.
The plugin should ship with the latest version of OSV Scanner
--experimental-licenses-summary is a flag to generate licence summary data
osv-scanner supports specifying an SBOM file with the --sbom
command line parameter. The plugin should support that as a mode
Dependency Check outputs a file in a format that Sonar understands it would be good for this plugin to produce the same report format.
osv-scanner supports specifying the lock files on the commandline, its should be possible to support --lockfile
as a mode
The plugin should re-use the osv-scanner that it has already downloaded.
Behaviour
Considerations
bin/<version>/osv-scanner
latest
folder should have a marker file specifying the version number of the latest bin/latest/version.txt
to point to the specific binarybuild
directory or in a .osv-scanner
directory in the project rootA declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.