Support gradle's verification-metadata.xml? #915
Comments
|
Thanks for the request! we simply have not added support for this yet. @G-Rath is this something we can put on your plate? |
|
@faern would it be possible for you to provide a couple of examples of this file, for building test fixtures? All good if not, it'd just save me some searching if you can🙂 |
|
Here is our own lockfile, I can start by linking that. I'll see if I can find more examples later: https://github.com/mullvad/mullvadvpn-app/blob/main/android/gradle/verification-metadata.xml |
|
This would be a great addition to the tool! Here's another one used by the official F-Droid Android Client app that also includes signature checks. Also adding a link to the script they use to generate the file: And here's another used by AndroidX (Google) as well as their documentation about using it to verify their artifacts: |
|
Thanks all for the samples! I'll start digging and post back here if I have any questions :) |
This adds support for parsing `gradle/verification-metadata.xml` files - since this seems to be like an actual lockfile it's very straightforward: we just parse the file as XML and extract out the name + version of "component". The interesting part of this is that unlike other project-relative lockfiles this file currently must exist in the `gradle` directory which raises questions about how `--recursive` comes into play previously we'd not enabled APK and DPKG checking by default but I feel that was more because they were absolute paths and so didn't make sense to do when people were scanning in "project mode". For now I've just taken the simple route of making the file `gradle/verification-metadata.xml` since that does just work (except for the "find parser" flow which checks against `path.Base` so that has the `gradle` omitted). Resolves #915
Hi. It looks like
osv-scanneronly checks forgradle.lockfileand friends, notverification-metadata.xml(Gradle dependency verification), which is the only "lockfile"-like thing we have for gradle.We currently use another tool for scanning our gradle dependency tree against NVD, and that tool works with the files we have. We would like to migrate to
osv-scannerif possible. Is there any reasonosv-scannerdoes not parse this file, or is it simply because it has not been added yet?We currently use the following tool to scan our gradle dependency tree against NVD: https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/index.html.
Current results:
The text was updated successfully, but these errors were encountered: