Details

    • Improvement
    • Status: Closed
    • Minor
    • Resolution: Implemented
    • Trunk
    • None
    • framework
    • None

    Description

      Since Gradle 2.1 it is recommended to use the plugins {} block for
      binary plugins instead of the “traditional” apply() method. See here for more details.

      Attachments

        1. OWASP-failure.patch
          0.7 kB
          Mathieu Lirzin
        2. OFBIZ-10700_Improved-Use-the-Gradle-Plugin-DSL.patch
          3 kB
          Mathieu Lirzin

        Issue Links

          Activity

            I have included OFBIZ-10700_Improved-Use-the-Gradle-Plugin-DSL.patch to use the plugins {} block.

            mthl Mathieu Lirzin (Inactive) added a comment - I have included OFBIZ-10700_Improved-Use-the-Gradle-Plugin-DSL.patch to use the plugins { } block.

            Applied in revision r1854595

            mthl Mathieu Lirzin (Inactive) added a comment - Applied in revision r1854595
            shi.jinghai Shi Jinghai added a comment -

            Hi Mathieu,

            Brilliant!

            I suggest change 

            if (project.hasProperty('enableOwasp')) {
                plugins {
                    id 'org.owasp.dependencycheck' version '3.0.2'
                }
            }

            to 

            plugins {
            ...
                id "org.owasp.dependencycheck" version "3.0.2" apply false
            }
            
            if (project.hasProperty('enableOwasp')) {
                apply plugin: 'org.owasp.dependencycheck'
            }

            What do you think?

            Kind Regards,

            shi.jinghai Shi Jinghai added a comment - Hi Mathieu, Brilliant! I suggest change  if (project.hasProperty( 'enableOwasp' )) { plugins { id 'org.owasp.dependencycheck' version '3.0.2' } } to  plugins { ... id "org.owasp.dependencycheck" version "3.0.2" apply false } if (project.hasProperty( 'enableOwasp' )) { apply plugin: 'org.owasp.dependencycheck' } What do you think? Kind Regards,

            Hello shi.jinghai,

            According to the Gradle doc the change you are proposing is about separating the resolution and the application of the org.owasp.dependencycheck which is useful in multi-project builds where you want to apply a plugin only to a subset of subprojects. I guess (without testing) that plugins resolution mean that the plugin is downloaded which in our case would be better to avoid as long as the enableOwasp property is not provided. As a consequence If this guess is correct I would prefer to keep the plugins block inside the if otherwise I will be fine with the version you are proposing. Please correct me if I am making a wrong guess or missing some other obvious advantage of the second form.

            Thanks

            mthl Mathieu Lirzin (Inactive) added a comment - Hello shi.jinghai , According to the Gradle doc the change you are proposing is about separating the resolution and the application of the org.owasp.dependencycheck which is useful in multi-project builds where you want to apply a plugin only to a subset of subprojects. I guess (without testing) that plugins resolution mean that the plugin is downloaded which in our case would be better to avoid as long as the enableOwasp property is not provided. As a consequence If this guess is correct I would prefer to keep the plugins block inside the if otherwise I will be fine with the version you are proposing. Please correct me if I am making a wrong guess or missing some other obvious advantage of the second form. Thanks
            shi.jinghai Shi Jinghai added a comment -

            Hi Mathieu,

            You are absolutely right.

            The only one pro I suggested is that I can see all plugins in plugins, and make me easy to check whether any plugin should be upgraded.

            Kind Regards,

            shi.jinghai Shi Jinghai added a comment - Hi Mathieu, You are absolutely right. The only one pro I suggested is that I can see all plugins in plugins, and make me easy to check whether any plugin should be upgraded. Kind Regards,

            Sorry Guys,

            I reopen, this is what I get on Win7

            C:\projectsASF\ofbiz>gradlew -PenableOwasp dependencyCheckAnalyze
            
            FAILURE: Build failed with an exception.
            
            * Where:
            Build file 'C:\projectsASF\ofbiz\build.gradle' line: 44
            
            * What went wrong:
            A problem occurred evaluating root project 'ofbiz'.
            > Could not find method plugins() for arguments [build_6doovu22fvyxt2xqr7mryg9wi$_run_closure1@327119ce] on root project 'ofbiz' of type org.gradle.api.Project.
            
            * Try:
            Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.
            
            * Get more help at https://help.gradle.org
            
            BUILD FAILED in 0s
            
            C:\projectsASF\ofbiz>
            
            jleroux Jacques Le Roux added a comment - Sorry Guys, I reopen, this is what I get on Win7 C:\projectsASF\ofbiz>gradlew -PenableOwasp dependencyCheckAnalyze FAILURE: Build failed with an exception. * Where: Build file 'C:\projectsASF\ofbiz\build.gradle' line: 44 * What went wrong: A problem occurred evaluating root project 'ofbiz'. > Could not find method plugins() for arguments [build_6doovu22fvyxt2xqr7mryg9wi$_run_closure1@327119ce] on root project 'ofbiz' of type org.gradle.api.Project. * Try: Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights. * Get more help at https://help.gradle.org BUILD FAILED in 0s C:\projectsASF\ofbiz>
            jleroux Jacques Le Roux added a comment - - edited

            Actually let's think about it. I added the OWASP Dependency Check feature before we switched to Gradle. It was then really useful, but it's no disputable as explained at https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check

            Since OFBiz uses Gradle, all dependent libraries (ie also dependencies from the libraries OFBiz uses and recursively) are loaded by Gradle and analysed by the OWASP Dependency Check plugin. So it's materially impossible to check all the possible vulnerabilities. I decided to only check the higher ones, currently (2017-09-29) we have only already know ones:

            So one option would be to completly remove this feature, what do you think, should we not discuss that on dev ML?

            jleroux Jacques Le Roux added a comment - - edited Actually let's think about it. I added the OWASP Dependency Check feature before we switched to Gradle. It was then really useful, but it's no disputable as explained at https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check Since OFBiz uses Gradle, all dependent libraries (ie also dependencies from the libraries OFBiz uses and recursively) are loaded by Gradle and analysed by the OWASP Dependency Check plugin. So it's materially impossible to check all the possible vulnerabilities. I decided to only check the higher ones, currently (2017-09-29) we have only already know ones: So one option would be to completly remove this feature, what do you think, should we not discuss that on dev ML?

            BTW I just had a look and the report (in build\reports) is barely usable, for instance reports about

            • apache:xml-rpc:3.1.3 was fixed in OFBiz (it's CVE-2011-3600 which is unclear because Archiva and the ASF at large did not report text to the CVE, cf CVE-2016-5002)
            • groovy-2.4.15.jar not a problem we use groovy-2.4.16.jar
            • tomcat-catalina-9.0.13.jar, makes no sense, no problem there.

            I did not dig further, but I believe unfortunately unlike before this report is useless and time wasting.

             

            jleroux Jacques Le Roux added a comment - BTW I just had a look and the report (in build\reports) is barely usable, for instance reports about apache:xml-rpc:3.1.3 was fixed in OFBiz (it's CVE-2011-3600 which is unclear because Archiva and the ASF at large did not report text to the CVE, cf CVE-2016-5002 ) groovy-2.4.15.jar not a problem we use groovy-2.4.16.jar tomcat-catalina-9.0.13.jar, makes no sense, no problem there. I did not dig further, but I believe unfortunately unlike before this report is useless and time wasting.  

            I start a convo on dev ML...

            jleroux Jacques Le Roux added a comment - I start a convo on dev ML...

            Hello jacques.le.roux,

            I tried the version proposed by shi.jinghai which fixes the Gradle DSL bug I introduced. However I now get the following error when running ./gradlew -PenableOwasp dependencyCheckAnalyze:

            > Task :dependencyCheckAnalyze
            Verifying dependencies for project ofbiz
            Checking for updates and analyzing vulnerabilities for dependencies
            
            IO Exception: Connection reset
            IO Exception: Connection reset
            IO Exception: Connection reset
            IO Exception: Connection reset
            IO Exception: Connection reset
            
            > Task :dependencyCheckAnalyze FAILED
            Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD.
            Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
            No documents exist
            
            Unable to continue dependency-check analysis.
            IO Exception: Connection reset
            
            FAILURE: Build failed with an exception.
            
            * What went wrong:
            Execution failed for task ':dependencyCheckAnalyze'.
            > Analysis failed.
            
            * Try:
            Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.
            
            * Get more help at https://help.gradle.org
            
            BUILD FAILED in 8s
            1 actionable task: 1 executed
            

            Do you get same results?

            mthl Mathieu Lirzin (Inactive) added a comment - Hello jacques.le.roux , I tried the version proposed by shi.jinghai which fixes the Gradle DSL bug I introduced. However I now get the following error when running ./gradlew -PenableOwasp dependencyCheckAnalyze : > Task :dependencyCheckAnalyze Verifying dependencies for project ofbiz Checking for updates and analyzing vulnerabilities for dependencies IO Exception: Connection reset IO Exception: Connection reset IO Exception: Connection reset IO Exception: Connection reset IO Exception: Connection reset > Task :dependencyCheckAnalyze FAILED Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD. Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities. No documents exist Unable to continue dependency-check analysis. IO Exception: Connection reset FAILURE: Build failed with an exception. * What went wrong: Execution failed for task ':dependencyCheckAnalyze' . > Analysis failed. * Try: Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights. * Get more help at https: //help.gradle.org BUILD FAILED in 8s 1 actionable task: 1 executed Do you get same results?
            mbrohl Michael Brohl added a comment - - edited

            Actually let's think about it. I added the OWASP Dependency Check feature before we switched to Gradle. It was then really useful, but it's no disputable as explained at [https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check

            https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check:]

            This link does not work for me.

            So one option would be to completly remove this feature, what do you think, should we not discuss that on dev ML?

            I did not get the point why you want to disable the feature?

            mbrohl Michael Brohl added a comment - - edited Actually let's think about it. I added the OWASP Dependency Check feature before we switched to Gradle. It was then really useful, but it's no disputable as explained at [https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check:] This link does not work for me. So one option would be to completly remove this feature, what do you think, should we not discuss that on dev ML? I did not get the point why you want to disable the feature?
            mthl Mathieu Lirzin (Inactive) added a comment - Hello mbrohl , the actual link is https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check without the final ':'

            Yes, Jira is stupidely adding the ":" in the URL, removed

            jleroux Jacques Le Roux added a comment - Yes, Jira is stupidely adding the ":" in the URL, removed
            jleroux Jacques Le Roux added a comment - - edited

            Michael,

            I started a convo on dev ML, better discuss there...

            jleroux Jacques Le Roux added a comment - - edited Michael, I started a convo on dev ML , better discuss there...

            Mathieu,

            Please provide a patch...

            jleroux Jacques Le Roux added a comment - Mathieu, Please provide a patch...
            mthl Mathieu Lirzin (Inactive) added a comment - - edited

            Here you are OWASP-failure.patch
            I observe the same behavior when checking out revision 1854593 which corresponds to the commit before OFBIZ-10700_Improved-Use-the-Gradle-Plugin-DSL.patch has been applied.

            In fact the error message I get is not stable, here is what I am getting currenly when running ./gradlew -PenableOwasp dependencyCheckAnalyze:

            > Task :dependencyCheckAnalyze
            Verifying dependencies for project ofbiz
            Checking for updates and analyzing vulnerabilities for dependencies
            Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
            No documents exist
            
            Unable to continue dependency-check analysis.
            
            > Task :dependencyCheckAnalyze FAILED
            
            mthl Mathieu Lirzin (Inactive) added a comment - - edited Here you are OWASP-failure.patch I observe the same behavior when checking out revision 1854593 which corresponds to the commit before OFBIZ-10700_Improved-Use-the-Gradle-Plugin-DSL.patch has been applied. In fact the error message I get is not stable, here is what I am getting currenly when running ./gradlew -PenableOwasp dependencyCheckAnalyze : > Task :dependencyCheckAnalyze Verifying dependencies for project ofbiz Checking for updates and analyzing vulnerabilities for dependencies Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities. No documents exist Unable to continue dependency-check analysis. > Task :dependencyCheckAnalyze FAILED

            It works here with OWASP-failure.patch applied

            C:\projectsASF\ofbiz>gradlew -PenableOwasp dependencyCheckAnalyze
            
            > Task :dependencyCheckAnalyze
            Verifying dependencies for project ofbiz
            Checking for updates and analyzing vulnerabilities for dependencies
            A new version of dependency-check is available. Consider updating to version 5.0.0.m1.
            
            Unable to download pom.xml for org.eclipse.datatools.enablement.postgresql-1.1.1.v201205252207.jar from Central; this could result in undetected CPE/CVEs.
            Unable to download pom.xml for org.apache.batik.transcoder-1.6.0.jar from Central; this could result in undetected CPE/CVEs.
            Unable to download pom.xml for org.apache.batik.xml-1.6.0.jar from Central; this could result in undetected CPE/CVEs.
            Unable to download pom.xml for org.apache.xerces-2.9.0.jar from Central; this could result in undetected CPE/CVEs.
            Unable to download pom.xml for org.eclipse.datatools.modelbase.sql.query-1.1.4.v201212120619.jar from Central; this could result in undetected CPE/CVEs.
            Unable to download pom.xml for Tidy-1.jar from Central; this could result in undetected CPE/CVEs.
            Unable to download pom.xml for org.w3c.css.sac-1.3.0.jar from Central; this could result in undetected CPE/CVEs.
            Unable to download pom.xml for org.eclipse.datatools.connectivity.console.profile-1.0.10.v201109250955.jar from Central; this could result in undetected CPE/CVEs.
            Unable to download pom.xml for org.apache.commons.codec-1.3.0.jar from Central; this could result in undetected CPE/CVEs.
            Unable to download pom.xml for aspectjrt-1.5.3.jar from Central; this could result in undetected CPE/CVEs.
            Unable to download pom.xml for antlr-2.7.6.jar from Central; this could result in undetected CPE/CVEs.
            
            > Task :dependencyCheckAnalyze
            Generating report for project ofbiz
            Found 498 vulnerabilities in project ofbiz
            
            
            One or more dependencies were identified with known vulnerabilities:
            
            asciidoctorj-1.5.7.jar (cpe:/a:jruby:jruby:1.5.7, org.asciidoctor:asciidoctorj:1.5.7) : CVE-2011-4838, CVE-2012-5370
            [...]
            
            jleroux Jacques Le Roux added a comment - It works here with OWASP-failure.patch applied C:\projectsASF\ofbiz>gradlew -PenableOwasp dependencyCheckAnalyze > Task :dependencyCheckAnalyze Verifying dependencies for project ofbiz Checking for updates and analyzing vulnerabilities for dependencies A new version of dependency-check is available. Consider updating to version 5.0.0.m1. Unable to download pom.xml for org.eclipse.datatools.enablement.postgresql-1.1.1.v201205252207.jar from Central; this could result in undetected CPE/CVEs. Unable to download pom.xml for org.apache.batik.transcoder-1.6.0.jar from Central; this could result in undetected CPE/CVEs. Unable to download pom.xml for org.apache.batik.xml-1.6.0.jar from Central; this could result in undetected CPE/CVEs. Unable to download pom.xml for org.apache.xerces-2.9.0.jar from Central; this could result in undetected CPE/CVEs. Unable to download pom.xml for org.eclipse.datatools.modelbase.sql.query-1.1.4.v201212120619.jar from Central; this could result in undetected CPE/CVEs. Unable to download pom.xml for Tidy-1.jar from Central; this could result in undetected CPE/CVEs. Unable to download pom.xml for org.w3c.css.sac-1.3.0.jar from Central; this could result in undetected CPE/CVEs. Unable to download pom.xml for org.eclipse.datatools.connectivity.console.profile-1.0.10.v201109250955.jar from Central; this could result in undetected CPE/CVEs. Unable to download pom.xml for org.apache.commons.codec-1.3.0.jar from Central; this could result in undetected CPE/CVEs. Unable to download pom.xml for aspectjrt-1.5.3.jar from Central; this could result in undetected CPE/CVEs. Unable to download pom.xml for antlr-2.7.6.jar from Central; this could result in undetected CPE/CVEs. > Task :dependencyCheckAnalyze Generating report for project ofbiz Found 498 vulnerabilities in project ofbiz One or more dependencies were identified with known vulnerabilities: asciidoctorj-1.5.7.jar (cpe:/a:jruby:jruby:1.5.7, org.asciidoctor:asciidoctorj:1.5.7) : CVE-2011-4838, CVE-2012-5370 [...]

            I wait the decision in dev ML before committing the OWASP-failure.patch.

            jleroux Jacques Le Roux added a comment - I wait the decision in dev ML before committing the OWASP-failure.patch .

            Issue fixed at revision 1854818.

            jleroux Jacques Le Roux added a comment - Issue fixed at revision 1854818.

            People

              mthl Mathieu Lirzin (Inactive)
              mthl Mathieu Lirzin (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: