-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Vulnerabilities scanning with Sonatype Scan Gradle Plugin
Micronaut Builds integrate Sonatype Scan Gradle Plugin .
To use it, register for a Sonatype OSS Index free account.
If you don't have the file $HOME/.gradle/gradle.properties, create it.
Add the following key/value pairs:
[email protected]
ossIndexPassword=supersecretpassword
You can run the Gradle task ./gradlew ossIndexAudit --no-parallel --info
If there is any vulnerability, you will see something like:
\___/_/|_/_/ |_/____/____/___/ /___/\___/_/ |_/_/|_/
_ _ _ _
/_) /_`_ _ _ _/_ _ _ (/ /_`_._ _ _/ _
/_)/_/ ._//_// //_|/ /_//_//_' (_X / ///_'/ //_/_\
_/ _//
Gradle Scan version: 3.0.0
------------------------------------------------------------------------------------------------------------------------------------------------------
Checking vulnerabilities in 47 dependencies
Found vulnerabilities in 1 dependencies
[1/1] - pkg:maven/org.bouncycastle/[email protected] - 5 vulnerabilities found!
Vulnerability Title: [CVE-2024-34447] CWE-297: Improper Validation of Certificate with Host Mismatch
ID: CVE-2024-34447
Description: bouncycastle - Improper Validation of Certificate with Host Mismatch The software communicates with a host that provides a certificate, ...
CVSS Score: (7.7/10, High)
When a vulnerability is found, the report contains a link to the security information for a certain package. For example, for the package org.bouncycastle:bcprov-jdk15on:
https://ossindex.sonatype.org/component/pkg:maven/org.bouncycastle/bcprov-jdk15on
The plugin is configured in the *-module.gradle file placed in buildSrc. For example in the MQTT module is buildSrc/src/main/groovy/io.micronaut.build.internal.mqtt-module.gradle
You can exclude certain coordinates:
ossIndexAudit {
username = ossIndexUsername
password = ossIndexPassword
excludeCoordinates = [
"org.bouncycastle:bcprov-jdk15on:1.70" // no version patched https://ossindex.sonatype.org/component/pkg:maven/org.bouncycastle/bcprov-jdk15on
]
}