在线时间:8:00-16:00
迪恩网络APP
随时随地掌握行业动态
扫描二维码
关注迪恩网络微信公众号
开源软件名称(OpenSource Name):sonatype-nexus-community/ossindex-gradle-plugin开源软件地址(OpenSource Url):https://github.com/sonatype-nexus-community/ossindex-gradle-plugin开源编程语言(OpenSource Language):Java 89.3%开源软件介绍(OpenSource Introduction):ossindex-gradle-pluginAudits a gradle project using the OSS Index REST API v3 to identify known vulnerabilities in its dependencies. New Release NotesThis release uses the new OSS Index v3 API. There are a few differences of note:
Table of Contents
Requirements
UsageInstalling(NOTE: Versions < 1.0 are considered preview) The plugin is available at the Gradle plugin repository. To use it either place (replace
in your If you use an older Gradle version you can use
Running the auditTo run the audit standalone specify the task
To use it before compiling write
into your buildscript. Success outputThis will run the OSS Index Auditor against the applicable maven project. A successful scan finding no errors will look something like this: Error outputIf a vulnerability is found that might impact your project, the output will resemble the following, where the package and vulnerability details depends on what is identified. CredentialsThe OSS Index API is rate limited. In many cases the limit is more than
sufficient, however in heavier use cases an increased limit might be desired.
This can be attained by creating a user account at
OSS Index and supplying the username and As you don't want credentials stored in a source repository, you use the gradle properties file to specify the cache folder. In the gradle properties, write this:
In your build.gradle file, add the following.
The credentialed rate limit is 64 requests per hour, where each request can fetch information for up to 128 packages. (Strictly speaking, you actually have 64 requests which replenish at a rate of one per minute). Prevent error on exceeding rate limitIt may be that you know you are going to exceed the rate limit, but you want a run to complete without failing. This is done by setting the "rateLimitAsError" option.
By default the cache resets every 12 hours, which means if you exceed the credentialled limit, you can run multiple times a day (eg. once an hour) and cached packages WILL NOT be rechecked on the server and therefore rate limiting will not be affected by those packages. Dependency tree of vulnerabilitiesIf the Reporting in a Jenkins PipelineThe gradle plugin supports writing out test reports in the correct XML format for the Jenkins JUnit Reporting Plugin. To switch on this reporting, set the path to the report in you project's build.gradle file using the "junitReport" element like so:
This would create the file in an /ossindex folder in the project root. To access this using the JUnit plugin in a Jenkins pipeline:
NOTE: The junit plugin uses a slightly different syntax to reference the path. The example code creates a stage in the pipeline, best put between checkout and compile, to run the ossindex scan and then run the reporting plugin. The line:
Ensures that the build fails if any failures are reported. Set
As failOnError is true by default and will cause the scan to exit on the first failure, instead of finding them all. StagesReport OutputDisable fail on errorTo let the build continue when vulnerabilities are found you can override the
Ignore: Simple vulnerability managementTo ignore vulnerabilities from specific artifacts you can specify the artifacts on two ways: Ignore a specific version:
Ignore a specific artifact (all versions):
Exclusions: Advanced vulnerability managementExclusions provide a similar task as "ignore", but with more expressiveness. Ignore all vulnerabilities in a specific package version. This ignores only vulnerabilities directly in the specified package.
Ignore all vulnerabilities in a specific package. This ignores only vulnerabilities directly in the specified package.
Ignore a specific vulnerability. Some vulnerabilities are assigned to multiple packages. This will ignore all instances of this vulnerability in any package.
Ignore a specific vulnerability in a specific package version's dependencies. Note that this vulnerability does not necessarily need to belong to the exact package, but be somewhere in the dependency tree under the package. As vulnerabilities are assigned to "vulnerable packages", including a the vulnerable package in this way will ignore the vulnerability for anyone who depends on this package version. Instead you can specify a parent package which does not express the vulnerability or otherwise mitigates the problem, which other packages which include the vulnerable package will still report the vulnerability.
Ignore a specific vulnerability belonging to a specific package's dependencies (any version). Note that this vulnerability does not necessarily need to belong to the exact package, but be somewhere in the dependency tree under the package. As vulnerabilities are assigned to "vulnerable packages", including a the vulnerable package in this way will ignore the vulnerability for anyone who depends on this package. Instead you can specify a parent package which does not express the vulnerability or otherwise mitigates the problem, which other packages which include the vulnerable package will still report the vulnerability.
Ignore a specific vulnerability belonging to a dependency path that has multiple packages that MUST be in the path. This can handle more complex situations. For example: The same vulnerability can affect both package 'A' and 'B'. Our code includes 'A' as a dependency of 'Z'. By setting up the exclusion using both 'A' and 'Z' we exclude the vulnerability only in the situation where it is found in package 'A' when included by 'Z'. The vulnerability will still be reported if:
CacheIn order to reduce round trips to OSS Index (as there is rate limiting), a
local cache file is used. By default it is in the
|
2023-10-27
2022-08-15
2022-08-17
2022-09-23
2022-08-13
请发表评论