https://gradle.com/ logo
Join Slack
Powered by
This message was deleted.
# community-support
s
This message was deleted.
m
What does the task do? Because if it's using a dependency declared in the file, it would rerun (e.g if you run the build with 
-t
, continuous mode). If it's not, then it means that the TOML file is an input of your task. Declare it as such and you should be good to go.
d
Runs a python script that generates a $projectroot/gradle/pom.xml for dependabot to consume 😭
😱 1
and the idea is that any dev that edits libs.versions.toml should automatically get a diff on the pom file that they remember to commit.
I could do it in a commit hook, but commit hooks are a bit nasty to deal with πŸ˜•
v
And why do you want to trick dependeabot that way? It would not help much, would it? At least the PRs would be pretty useless, as they would just change the pseudo POM.
Maybe it would be better if you use a proper tool like Gradle Versions plugin of Ben Manes and set up a GitHub action that runs it regularly to get notified of updated dependencies.
There is even an extension for it that can update the new found versions into the TOML
m
you can use Renovatebot which supports the TOML file
d
Because dependabot doesn't scan libs.versions.toml files, and I don't think I can post OWASP output to the github security page from the CI, and it's a pretty nice place to keep such info.
renovate only pushes to PRs, going to get noisy and ignored.
To be clear, getting pings on updates is nice, but it's the vulnerability integration that's valuable.
v
Ah, I see. πŸ˜•
d
m
if you're interested in security, then neither renovate nor dependabot do the job, because they don't care about resolved dependenceis
it gives a false impression of security IMHO
πŸ‘ 3
because they only care about what you declare. Doesn't mean that it's what is effectively used, or doesn't care about transitive dependencies
d
Unfortunately I don't work for the Due Dilligence company that requested it from me πŸ™‚
v
There is a dependency check Gradle plugin that works with the resolved dependencies and checks OWASP. But it is of course not integrated with the GitHub UI, unless you parse the result somehow and maybe use the GitHub API to upload it if possible.
m
d
Yeah, don't think that API are open as dependabot is explicitly integrated with GH, but I should have another look. Nice to save some build minutes by not having to run owasp though.
@melix yep that's what I want to replace here.
m
right, but it does the job better than dependabot
it's not a replacement πŸ˜‰
v
And it is the one I meant πŸ™‚
d
It does its job by dumping output in the CI, and at best I can put it in a PR comment, while you are correct, it doesn't fit the goal πŸ˜•
m
d
Yep, lots of alternatives. Just want to get the security page filled out so that I can do something useful.
v
The code scanning API lets you retrieve and update code scanning alerts from a repository. You can use the endpoints to create automated reports for the code scanning alerts in an organization or upload analysis results generated using offline code scanning tools.
πŸ‘€ 2
d
Much better than polluting gradle and the git repo. Was too locked into thinking it was due to GH's dependabot partnership.
I'll see what I end up with... pretty nice to have the dependency page populated as well.
v
I think you can even use the CodeQL GitHub Action to do the vulnerabilities scanning and integration into the UI.
But I don't know how that works, whether it uses the resolved libs or also just the declared ones
d
I guess it depends on how well it knows how to extract versions for a project that uses libs.versions.toml, but other than that it doesn't support Kotlin yet - which my code base is written in, https://github.com/github/codeql/issues/4699
v
Well, any project that does need explicit support for things like version catalogs or TOML files is doing it wrong. Because they do own parsing and thus suffer from the exact problem CΓ©dric mentioned, they check your declared versions, not your actually used versions.
βž• 1
m
which is still better than doing nothing, to be fair πŸ™‚
πŸ‘ 3
v
If a tool does it right and for example uses the tooling api to get the resolved dependencies to be checked, it automatically supports all existing and future ways to declare versions.
d
Agree. But it's a best effort thing. Would be nice with gradle lock files instead, but got burned by that last time I tried it out wrt how it interacted with IDEA.
Seem to recall that's somewhat related to gradle plugins not being pulled straight from maven central with proper signatures and so on? Anyways, different subject.
Ah nah... mixing it up with dependency verification. Lockfiles might have worked fine.
Anyways, thanks for your various suggestions, have a great afternoon.
πŸ‘ 1
πŸ‘Œ 1
3 Views
Open in Slack
PreviousNext
Powered by