Details
-
Improvement
-
Status: Closed
-
Minor
-
Resolution: Implemented
-
Trunk
-
None
-
None
Description
Since Gradle 2.1 it is recommended to use the plugins {} block for
binary plugins instead of the “traditional” apply() method. See here for more details.
Attachments
Attachments
- OWASP-failure.patch
- 0.7 kB
- Mathieu Lirzin
- OFBIZ-10700_Improved-Use-the-Gradle-Plugin-DSL.patch
- 3 kB
- Mathieu Lirzin
Issue Links
- is related to
-
OFBIZ-13121 Keep the Gradle Owasp dependencycheck task
- Closed
- requires
-
OFBIZ-10693 ‘./gradlew generateOfbizDocumentation’ fails with Gradle 5.0
- Closed
Activity
Hi Mathieu,
Brilliant!
I suggest change
if (project.hasProperty('enableOwasp')) { plugins { id 'org.owasp.dependencycheck' version '3.0.2' } }
to
plugins { ... id "org.owasp.dependencycheck" version "3.0.2" apply false } if (project.hasProperty('enableOwasp')) { apply plugin: 'org.owasp.dependencycheck' }
What do you think?
Kind Regards,
Hello shi.jinghai,
According to the Gradle doc the change you are proposing is about separating the resolution and the application of the org.owasp.dependencycheck which is useful in multi-project builds where you want to apply a plugin only to a subset of subprojects. I guess (without testing) that plugins resolution mean that the plugin is downloaded which in our case would be better to avoid as long as the enableOwasp property is not provided. As a consequence If this guess is correct I would prefer to keep the plugins block inside the if otherwise I will be fine with the version you are proposing. Please correct me if I am making a wrong guess or missing some other obvious advantage of the second form.
Thanks
Hi Mathieu,
You are absolutely right.
The only one pro I suggested is that I can see all plugins in plugins, and make me easy to check whether any plugin should be upgraded.
Kind Regards,
Sorry Guys,
I reopen, this is what I get on Win7
C:\projectsASF\ofbiz>gradlew -PenableOwasp dependencyCheckAnalyze FAILURE: Build failed with an exception. * Where: Build file 'C:\projectsASF\ofbiz\build.gradle' line: 44 * What went wrong: A problem occurred evaluating root project 'ofbiz'. > Could not find method plugins() for arguments [build_6doovu22fvyxt2xqr7mryg9wi$_run_closure1@327119ce] on root project 'ofbiz' of type org.gradle.api.Project. * Try: Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights. * Get more help at https://help.gradle.org BUILD FAILED in 0s C:\projectsASF\ofbiz>
Actually let's think about it. I added the OWASP Dependency Check feature before we switched to Gradle. It was then really useful, but it's no disputable as explained at https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check
Since OFBiz uses Gradle, all dependent libraries (ie also dependencies from the libraries OFBiz uses and recursively) are loaded by Gradle and analysed by the OWASP Dependency Check plugin. So it's materially impossible to check all the possible vulnerabilities. I decided to only check the higher ones, currently (2017-09-29) we have only already know ones:
So one option would be to completly remove this feature, what do you think, should we not discuss that on dev ML?
BTW I just had a look and the report (in build\reports) is barely usable, for instance reports about
- apache:xml-rpc:3.1.3 was fixed in OFBiz (it's CVE-2011-3600 which is unclear because Archiva and the ASF at large did not report text to the CVE, cf CVE-2016-5002)
- groovy-2.4.15.jar not a problem we use groovy-2.4.16.jar
- tomcat-catalina-9.0.13.jar, makes no sense, no problem there.
I did not dig further, but I believe unfortunately unlike before this report is useless and time wasting.
Hello jacques.le.roux,
I tried the version proposed by shi.jinghai which fixes the Gradle DSL bug I introduced. However I now get the following error when running ./gradlew -PenableOwasp dependencyCheckAnalyze:
> Task :dependencyCheckAnalyze Verifying dependencies for project ofbiz Checking for updates and analyzing vulnerabilities for dependencies IO Exception: Connection reset IO Exception: Connection reset IO Exception: Connection reset IO Exception: Connection reset IO Exception: Connection reset > Task :dependencyCheckAnalyze FAILED Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD. Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities. No documents exist Unable to continue dependency-check analysis. IO Exception: Connection reset FAILURE: Build failed with an exception. * What went wrong: Execution failed for task ':dependencyCheckAnalyze'. > Analysis failed. * Try: Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights. * Get more help at https://help.gradle.org BUILD FAILED in 8s 1 actionable task: 1 executed
Do you get same results?
Actually let's think about it. I added the OWASP Dependency Check feature before we switched to Gradle. It was then really useful, but it's no disputable as explained at [https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check
https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check:]
This link does not work for me.
So one option would be to completly remove this feature, what do you think, should we not discuss that on dev ML?
I did not get the point why you want to disable the feature?
Hello mbrohl,
the actual link is https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check without the final ':'
Here you are OWASP-failure.patch
I observe the same behavior when checking out revision 1854593 which corresponds to the commit before OFBIZ-10700_Improved-Use-the-Gradle-Plugin-DSL.patch has been applied.
In fact the error message I get is not stable, here is what I am getting currenly when running ./gradlew -PenableOwasp dependencyCheckAnalyze:
> Task :dependencyCheckAnalyze Verifying dependencies for project ofbiz Checking for updates and analyzing vulnerabilities for dependencies Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities. No documents exist Unable to continue dependency-check analysis. > Task :dependencyCheckAnalyze FAILED
It works here with OWASP-failure.patch applied
C:\projectsASF\ofbiz>gradlew -PenableOwasp dependencyCheckAnalyze > Task :dependencyCheckAnalyze Verifying dependencies for project ofbiz Checking for updates and analyzing vulnerabilities for dependencies A new version of dependency-check is available. Consider updating to version 5.0.0.m1. Unable to download pom.xml for org.eclipse.datatools.enablement.postgresql-1.1.1.v201205252207.jar from Central; this could result in undetected CPE/CVEs. Unable to download pom.xml for org.apache.batik.transcoder-1.6.0.jar from Central; this could result in undetected CPE/CVEs. Unable to download pom.xml for org.apache.batik.xml-1.6.0.jar from Central; this could result in undetected CPE/CVEs. Unable to download pom.xml for org.apache.xerces-2.9.0.jar from Central; this could result in undetected CPE/CVEs. Unable to download pom.xml for org.eclipse.datatools.modelbase.sql.query-1.1.4.v201212120619.jar from Central; this could result in undetected CPE/CVEs. Unable to download pom.xml for Tidy-1.jar from Central; this could result in undetected CPE/CVEs. Unable to download pom.xml for org.w3c.css.sac-1.3.0.jar from Central; this could result in undetected CPE/CVEs. Unable to download pom.xml for org.eclipse.datatools.connectivity.console.profile-1.0.10.v201109250955.jar from Central; this could result in undetected CPE/CVEs. Unable to download pom.xml for org.apache.commons.codec-1.3.0.jar from Central; this could result in undetected CPE/CVEs. Unable to download pom.xml for aspectjrt-1.5.3.jar from Central; this could result in undetected CPE/CVEs. Unable to download pom.xml for antlr-2.7.6.jar from Central; this could result in undetected CPE/CVEs. > Task :dependencyCheckAnalyze Generating report for project ofbiz Found 498 vulnerabilities in project ofbiz One or more dependencies were identified with known vulnerabilities: asciidoctorj-1.5.7.jar (cpe:/a:jruby:jruby:1.5.7, org.asciidoctor:asciidoctorj:1.5.7) : CVE-2011-4838, CVE-2012-5370 [...]
I wait the decision in dev ML before committing the OWASP-failure.patch.
I have included OFBIZ-10700_Improved-Use-the-Gradle-Plugin-DSL.patch to use the plugins {} block.