New Sonatype Scan Gradle Plugin

Sonatype has an ongoing commitment to the Open Source community to keep software developers aware of the components in their applications (Bill of Materials/BOM) and any known vulnerabilities they may contain. We are constantly developing and releasing tools to help keep your applications safe. The newest free plugin in the Sontaype toolbox is a Gradle plugin to scan, evaluate, and audit Gradle project dependencies. It is available here.

This plugin supports Java, Kotlin, Scala, and Groovy applications using both single and multiple Gradle modules. (Yes, this includes Android!) These are scanned using Sonatype services to audit and evaluate the open source dependencies. There are two data pools we pull from to monitor vulnerability data:

• OSS Index: Our free service enables developers to check if any library has known or disclosed vulnerabilities. More info can be found here.

• Nexus Lifecycle: Our paid platform, with advanced curated data, allows developers and companies to continuously monitor and protect the entire software supply chain.

How to Use the Gradle Plugin

Since the Scan Gradle Plugin is available at both Maven Central and the Gradle Plugins Portal, it can be imported and applied into a gradle.build script like this:

Or if your Gradle project is using the legacy syntax:

Using OSS Index

OSS Index can be used without any extra configuration, but to avoid reaching the limit for anonymous queries every user is encouraged to create a free account and use the credentials on this plugin. For credentials and cache configuration please refer to the plugin documentation.

To run the plugin, just execute the following command (using Gradle directly or the wrapper if available):

gradle ossIndexAudit --info

The output will be a list of all open source components found as dependencies for the project and, if found, a list (Read more...)