fix: disable central analyzer and resolve pom.xml via gradle#470
fix: disable central analyzer and resolve pom.xml via gradle#470jeremylong merged 8 commits intomainfrom
Conversation
|
This PR was tested manually. |
|
@chadlwilson any concerns with this PR? |
There was a problem hiding this comment.
Pull Request Overview
This PR addresses the issue of false negatives in dependency scanning by disabling the central analyzer and implementing a custom POM resolution mechanism. The changes enable retrieval of Maven POM files directly from the Gradle cache, which provides better accuracy in dependency analysis without relying on the central analyzer.
Key changes:
- Disables the central analyzer by default in configuration
- Adds POM resolution functionality using Gradle's artifact resolution query API
- Integrates POM analysis into both legacy and modern dependency processing flows
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| src/main/resources/task.properties | Enables the central analyzer disable flag and removes explanatory comments |
| src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy | Implements POM resolution logic with caching and integrates it into dependency processing |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
|
I don't disagree with the defaults here, however we may want to add a note to the changelog - something like
WDYT? In my specific case we use the Gradle plugin as an entry-point to run ODC, however as a multi-language JRuby project I do want it to look at jars inside Ruby gems, for example. |
|
release notes updated. I'll also add this to the documentation site somehow... |
resolves #468