Comments (2)
bigdaz
commented on September 18, 2024
In the original implementation, we attempted to attribute each dependency to the source file where it was declared. This turned out to be impractical.
https://github.com/gradle/actions/blob/main/docs/dependency-submission-faq.md#why-arent-dependencies-be-linked-to-the-source-file-where-they-are-declared
We also tried creating a separate dependency graph for each subproject, but this was also problematic. Many dependencies are resolved in many different projects, and GitHub would treat each of these as a separate dependency usage. This would result in many duplicate security alerts being created. (Imagine a 100 project build where every project used dependency X: then 100 dependency alerts would be created).
We are working with GitHub to come up with a Dependency Graph model that is more suitable for Gradle. In the meantime, feel free to experiment with the Dependency Graph Plugin and see what can be generated.
from actions.
bigdaz
commented on September 18, 2024
I understand it's not ideal, but these docs demonstrate the current best practise for determining the underlying cause of a dependency alert: https://github.com/gradle/actions/blob/main/docs/dependency-submission.md#resolving-a-dependency-vulnerability
from actions.
Related Issues (20)
- Present summary of Gradle build warnings in Job Summary and PR comment HOT 2
- dependabot creates pull requests for version 4 HOT 4
- Clarify cache cleanup documentation HOT 1
- Could not load from local cache: Timeout waiting to lock Build cache HOT 4
- nvm
- Short-lived access tokens are generated when Develocity injection is not enabled
- 🐞 Actions doesn't see gradle with version 8.10 HOT 4
- Using `gradle-version: 8.1` is ignored when Gradle 8.10 is on the PATH
- Gradle itself is not cached HOT 4
- Improve caching behaviour when using GitHub Merge Queue HOT 1
- Wrapper validation fails for repos with unmappable characters in file names HOT 6
- Document `develocity-token-expiry` configuration and default
- Detect DV access token expiry and present helpful message in Job Summary
- [setup-gradle action] Update PR Comment Instead of Posting New One for Each Commit HOT 2
- Add cache timing information to the `setup-gradle` build action
- Does the dependency-submission action support a monorepo configuration? HOT 1
- `develocity-token-expiry` parameter is ignored
- Add openssf scorecard
- Exclude detached configurations from dependency graph HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from actions.