You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Running the :dependencyCheckAnalyze gradle task gives different result depending on which version of the android gradle plugin is used. This is despite the dependencies that generate the CVE errors have not changed.
Version of dependency-check used
Using org.owasp:dependency-check-gradle:9.2.0
Also seen this behaviour on 9.0.9
configure<org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension> {
// Skip the lintClassPath configuration, which relies on many dependencies that has been flagged
// to have CVEs, as it's related to the lint tooling rather than the project's compilation class
// path. The alternative would be to suppress specific CVEs, however that could potentially
// result in suppressed CVEs in project compilation class path.
skipConfigurations = listOf("lintClassPath")
suppressionFile = "$projectDir/../test-suppression.xml"
}
(This is copied from jeremylong/DependencyCheck#6740 where I by accident posted this issue first)
Describe the bug
Running the :dependencyCheckAnalyze gradle task gives different result depending on which version of the android gradle plugin is used. This is despite the dependencies that generate the CVE errors have not changed.
Version of dependency-check used
Using
org.owasp:dependency-check-gradle:9.2.0
Also seen this behaviour on
9.0.9
Log file
https://gist.github.com/Pururun/89199a37e9794bac5969193f2a5ed685
To Reproduce
Update to AGP 8.4 or 8.5
Expected behavior
Consistent behaviour regardless of AGP version.
Additional context
Here is our configuration if gradle:
global gradle
test gradle
Here is the suppress file for the app:
https://github.com/mullvad/mullvadvpn-app/blob/main/android/config/dependency-check-suppression.xml
Suppression file for tests:
https://github.com/mullvad/mullvadvpn-app/blob/main/android/test/test-suppression.xml
I have also tried to move the plugin out of the project file and applying it to each module separately, this did not help.
The text was updated successfully, but these errors were encountered: