Vulnerability scanning#15631
Conversation
| extension.username = System.getenv('SONATYPE_GUIDE_USERNAME') ?: '' | ||
| extension.password = System.getenv('SONATYPE_GUIDE_TOKEN') ?: '' | ||
| extension.excludeCoordinates = [ | ||
| 'org.hibernate:hibernate-core:5.6.11.Final', |
There was a problem hiding this comment.
@jamesfredley @matrei We'll have to manage exceptions here.
|
Looks like the find main task is failing with these changes for some reason. It's likely due to the plexus update. |
|
Root cause: Adding the Sonatype scan plugin to build-logic/plugins/build.gradle changed the build-logic's content hash, which invalidated the Gradle build cache for all subproject tasks. When findMainClass runs fresh (not from The fix is to switch MainClassFinder from groovyjarjarasm.asm (Groovy's bundled, potentially old ASM) to org.objectweb.asm (the explicit ASM library, version-managed by Spring Framework BOM at 9.7+, which supports Java 17+). |
|
Converting this to draft, the dependency bumps have caused gradle issues |
jdaugherty
force-pushed
the
vulnerabilityScanning
branch
from
089db36 to
d1e8460
Compare
✅ All tests passed ✅🏷️ Commit: d1e8460 Learn more about TestLens at testlens.app. |
|
Alright, the problem is that the ASM classes are shaded inside scan-gradle-plugin-3.1.5.jar itself. They're not a separate transitive dependency. Gradle exclusions only work on transitive dependencies, not on classes bundled inside a fat/shaded jar. So we can't exclude them with a standard exclude rule. The find main class is picking the shaded version, which is frustrating. |
|
I've opened sonatype-nexus-community/scan-gradle-plugin#206 |
|
sonatype-nexus-community/scan-gradle-plugin#207 is the fix for this. We can't adopt due to the classpath conflict. I'm hopeful Sonatype will accept the change. |
1 participant
Adds a vulnerability scanning workflow for grails-core