diff --git a/Dockerfile b/Dockerfile index a43a4774..dbf928d9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -31,16 +31,16 @@ WORKDIR /root RUN wget https://download.java.net/java/GA/jdk11/9/GPL/openjdk-11.0.2_linux-x64_bin.tar.gz -P /tmp RUN tar xvf /tmp/openjdk-11.0.2_linux-x64_bin.tar.gz -C / -### Gradle 7 -RUN wget https://services.gradle.org/distributions/gradle-7.5.1-bin.zip -P /tmp -RUN unzip -d /opt/gradle /tmp/gradle-*.zip +# ### Gradle 7 +# RUN wget https://services.gradle.org/distributions/gradle-7.5.1-bin.zip -P /tmp +# RUN unzip -d /opt/gradle /tmp/gradle-*.zip -### Gradle 6 -RUN wget https://services.gradle.org/distributions/gradle-6.9.2-bin.zip -P /tmp2 -RUN unzip -d /opt/gradle /tmp2/gradle-*.zip +# ### Gradle 6 +# RUN wget https://services.gradle.org/distributions/gradle-6.9.2-bin.zip -P /tmp2 +# RUN unzip -d /opt/gradle /tmp2/gradle-*.zip -ENV GRADLE_HOME="/opt/gradle/gradle-7.5.1" -ENV PATH="${GRADLE_HOME}/bin:${PATH}" +# ENV GRADLE_HOME="/opt/gradle/gradle-7.5.1" +# ENV PATH="${GRADLE_HOME}/bin:${PATH}" ### Rust ENV RUST_VERSION 1.58.1 @@ -199,10 +199,10 @@ COPY --from=builder /usr/local/go /usr/local/go COPY --from=builder /usr/bin/rg /usr/bin/rg COPY --from=builder /jdk-11.0.2 /jdk-11.0.2 ENV JAVA_HOME /jdk-11.0.2 -COPY --from=builder /opt/gradle/gradle-7.5.1 /opt/gradle/gradle-7.5.1 -ENV PATH="/opt/gradle/gradle-7.5.1/bin:${PATH}" +# COPY --from=builder /opt/gradle/gradle-7.5.1 /opt/gradle/gradle-7.5.1 +# ENV PATH="/opt/gradle/gradle-7.5.1/bin:${PATH}" -COPY --from=builder /opt/gradle/gradle-6.9.2 /opt/gradle/gradle-6.9.2 +# COPY --from=builder /opt/gradle/gradle-6.9.2 /opt/gradle/gradle-6.9.2 RUN ln -sf /usr/local/go/bin/go /usr/local/bin RUN python -m easy_install pip==${PIP_VERSION} \ diff --git a/docs/scanners/gradle_osv.md b/docs/scanners/gradle_osv.md index 0ba882d2..eeef9a28 100644 --- a/docs/scanners/gradle_osv.md +++ b/docs/scanners/gradle_osv.md @@ -1,6 +1,8 @@ # Gradle OSV Scanner -Finds vulnerable dependencies in a Gradle project. By default, GradleOSV Scanner pulls advisory information from [OSV - Database for open source vulnerabilities](https://osv.dev/) to compare against the dependencies found by running `gradle dependencies`. +Finds vulnerable dependencies in a Gradle project. By default, GradleOSV Scanner pulls advisory information from [OSV - Database for open source vulnerabilities](https://osv.dev/) to compare against the dependencies found in `gradle.lockfile`. + +> NOTE: multi_project_build config option has been deprecated. ## Configuration @@ -9,10 +11,45 @@ When a CVE is present in a dependency, the best course of action is to upgrade t ```yaml scanner_configs: GradleOSV: - multi_project_build: true # If you run a multi project build setup, you can multi as true. Default is false exceptions: - advisory_id: CVE-2020-26945 changed_by: security-team notes: Currently no patch exists and determined that this vulnerability is not exploitable. expiration: "2022-12-31" ``` + +## How to generate lockfile + +To generate lockfile, use the following commands - +- Single Project + +``` +allprojects { + dependencyLocking { + lockAllConfigurations() + } +} +``` +**Generate lockfile:** `gradle dependencies --write-locks` + +- Multi Project +``` +allprojects { + dependencyLocking { + lockAllConfigurations() + } + + task resolveAndLockAll { + doFirst { + assert gradle.startParameter.writeDependencyLocks + } + doLast { + configurations.findAll { + // Add any custom filtering on the configurations to be resolved + it.canBeResolved + }.each { it.resolve() } + } + } +} +``` +**Generate lockfile:** `gradle resolveAndLockAll --write-locks` \ No newline at end of file diff --git a/lib/salus/package_utils/gradle_dependency_parser.rb b/lib/salus/package_utils/gradle_dependency_parser.rb index 79596372..22d49788 100644 --- a/lib/salus/package_utils/gradle_dependency_parser.rb +++ b/lib/salus/package_utils/gradle_dependency_parser.rb @@ -1,44 +1,13 @@ module Gradle - GRADLE7 = "/opt/gradle/gradle-7.5.1/bin/gradle".freeze - GRADLE6 = "/opt/gradle/gradle-6.9.2/bin/gradle".freeze - GET_GRADLE_PROJECTS = "./gradlew projects --info".freeze - - def is_multi_project - projects = [] - command = "./gradlew " - projects_shell_result = run_shell(GET_GRADLE_PROJECTS) - projects_shell_result.stdout.each_line do |line| - projects.append(line.split.last.strip.tr(":", "").tr("'", "")) if line.include? '--- Project ' - end - - projects.each do |proj| - command += proj + ":dependencies " - end - - run_shell(command) - end - - def is_single_project - shell_result = run_shell("#{GRADLE7} dependencies") - shell_result = run_shell("#{GRADLE6} dependencies") if !shell_result.success? - shell_result - end - - def gradle_dependencies - dependency_metadata_regex = /-\s(?.+):(?.+):(?.+)/ - result = if @config['multi_project_build'] - is_multi_project - else - is_single_project - end - # 'gradle dependencies' command needs to be run in the folder where buid.gradle is present. - if !result.success? - report_error("Gradle Version Not supported. Please Upgrade to gradle version 6 and above") - return [] - end + def gradle_dependencies(path) + msg = "gradle.lockfile not found!" + raise StandardError, msg unless File.exist?(path) + dependency_metadata_regex = /(?.+):(?.+):(?.+)=/ + lockfile_content = File.read(path) dependencies = [] - result.stdout.scan(dependency_metadata_regex).each do |dependency_properties| + + lockfile_content.scan(dependency_metadata_regex).each do |dependency_properties| if dependency_properties.length < 3 report_error("Could not parse dependency metadata #{dependency_properties}") next diff --git a/lib/salus/repo.rb b/lib/salus/repo.rb index a7f1482c..5487bcd9 100644 --- a/lib/salus/repo.rb +++ b/lib/salus/repo.rb @@ -41,6 +41,7 @@ class Repo # Java { handle: :pom_xml, filename: 'pom.xml' }, { handle: :build_gradle, filename: 'build.gradle' }, + { handle: :build_gradle_lockfile, filename: 'gradle.lockfile' }, # Swift { handle: :package_resolved, filename: 'Package.resolved' }, # Apple Ecosystem (macOS, iOS, etc) diff --git a/lib/salus/scanners/osv/gradle_osv.rb b/lib/salus/scanners/osv/gradle_osv.rb index 086af14b..0f2dbfe2 100644 --- a/lib/salus/scanners/osv/gradle_osv.rb +++ b/lib/salus/scanners/osv/gradle_osv.rb @@ -12,7 +12,8 @@ class SemVersion < Gem::Version; end "/Maven/all.zip".freeze def should_run? - @repository.build_gradle_present? + @repository.build_gradle_present? && + @repository.build_gradle_lockfile_present? end def self.supported_languages @@ -21,7 +22,7 @@ def self.supported_languages def run # Find dependencies from the project - dependencies = gradle_dependencies + dependencies = gradle_dependencies(@repository.build_gradle_lockfile_path) if dependencies.empty? err_msg = "GradleOSV: Failed to parse any dependencies from the project." report_stderr(err_msg) diff --git a/lib/salus/scanners/report_gradle_deps.rb b/lib/salus/scanners/report_gradle_deps.rb index bad64e2b..13911393 100644 --- a/lib/salus/scanners/report_gradle_deps.rb +++ b/lib/salus/scanners/report_gradle_deps.rb @@ -7,7 +7,7 @@ class ReportGradleDeps < ReportBase include Gradle def run - dependencies = gradle_dependencies + dependencies = gradle_dependencies(@repository.build_gradle_lockfile_path) dependencies.each do |dependency| group_id = dependency['group_id'] diff --git a/spec/fixtures/osv/gradle_osv/failure_vulnerability_present/build.gradle b/spec/fixtures/osv/gradle_osv/failure_vulnerability_present/build.gradle index 228cf77e..8195f8ca 100644 --- a/spec/fixtures/osv/gradle_osv/failure_vulnerability_present/build.gradle +++ b/spec/fixtures/osv/gradle_osv/failure_vulnerability_present/build.gradle @@ -9,3 +9,9 @@ repositories { dependencies { testImplementation group: 'com.google.guava', name: 'guava', version: '30.1-jre' } + +allprojects { + dependencyLocking { + lockAllConfigurations() + } +} \ No newline at end of file diff --git a/spec/fixtures/osv/gradle_osv/failure_vulnerability_present/gradle.lockfile b/spec/fixtures/osv/gradle_osv/failure_vulnerability_present/gradle.lockfile new file mode 100644 index 00000000..ace9001e --- /dev/null +++ b/spec/fixtures/osv/gradle_osv/failure_vulnerability_present/gradle.lockfile @@ -0,0 +1,11 @@ +# This is a Gradle generated file for dependency locking. +# Manual edits can break the build and are not advised. +# This file is expected to be part of source control. +com.google.code.findbugs:jsr305:3.0.2=testCompileClasspath,testRuntimeClasspath +com.google.errorprone:error_prone_annotations:2.3.4=testCompileClasspath,testRuntimeClasspath +com.google.guava:failureaccess:1.0.1=testCompileClasspath,testRuntimeClasspath +com.google.guava:guava:30.1-jre=testCompileClasspath,testRuntimeClasspath +com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=testCompileClasspath,testRuntimeClasspath +com.google.j2objc:j2objc-annotations:1.3=testCompileClasspath,testRuntimeClasspath +org.checkerframework:checker-qual:3.5.0=testCompileClasspath,testRuntimeClasspath +empty=annotationProcessor,compileClasspath,runtimeClasspath,testAnnotationProcessor diff --git a/spec/fixtures/osv/gradle_osv/no_dependency_found/build.gradle b/spec/fixtures/osv/gradle_osv/no_dependency_found/build.gradle index 2fab275e..875ea0b4 100644 --- a/spec/fixtures/osv/gradle_osv/no_dependency_found/build.gradle +++ b/spec/fixtures/osv/gradle_osv/no_dependency_found/build.gradle @@ -8,3 +8,9 @@ repositories { dependencies { } + +allprojects { + dependencyLocking { + lockAllConfigurations() + } +} \ No newline at end of file diff --git a/spec/fixtures/osv/gradle_osv/no_dependency_found/gradle.lockfile b/spec/fixtures/osv/gradle_osv/no_dependency_found/gradle.lockfile new file mode 100644 index 00000000..8ccf21c9 --- /dev/null +++ b/spec/fixtures/osv/gradle_osv/no_dependency_found/gradle.lockfile @@ -0,0 +1,4 @@ +# This is a Gradle generated file for dependency locking. +# Manual edits can break the build and are not advised. +# This file is expected to be part of source control. +empty=annotationProcessor,compileClasspath,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath diff --git a/spec/fixtures/osv/gradle_osv/success_no_vulnerability/build.gradle b/spec/fixtures/osv/gradle_osv/success_no_vulnerability/build.gradle index 3d07ce37..5bdb4a5e 100644 --- a/spec/fixtures/osv/gradle_osv/success_no_vulnerability/build.gradle +++ b/spec/fixtures/osv/gradle_osv/success_no_vulnerability/build.gradle @@ -9,3 +9,9 @@ repositories { dependencies { implementation group: 'test.test.test', name: 'sample', version: '2.6.2' } + +allprojects { + dependencyLocking { + lockAllConfigurations() + } +} \ No newline at end of file diff --git a/spec/fixtures/osv/gradle_osv/success_no_vulnerability/gradle.lockfile b/spec/fixtures/osv/gradle_osv/success_no_vulnerability/gradle.lockfile new file mode 100644 index 00000000..6b0e2591 --- /dev/null +++ b/spec/fixtures/osv/gradle_osv/success_no_vulnerability/gradle.lockfile @@ -0,0 +1,5 @@ +# This is a Gradle generated file for dependency locking. +# Manual edits can break the build and are not advised. +# This file is expected to be part of source control. +org.testsampledep:hello-qual:3.5.0=testCompileClasspath,testRuntimeClasspath +empty=annotationProcessor,testAnnotationProcessor diff --git a/spec/fixtures/osv/gradle_osv/success_resolved_dependency/gradle.lockfile b/spec/fixtures/osv/gradle_osv/success_resolved_dependency/gradle.lockfile new file mode 100644 index 00000000..ec49072d --- /dev/null +++ b/spec/fixtures/osv/gradle_osv/success_resolved_dependency/gradle.lockfile @@ -0,0 +1,5 @@ +# This is a Gradle generated file for dependency locking. +# Manual edits can break the build and are not advised. +# This file is expected to be part of source control. +org.apache.logging.log4j:log4j-api:2.17.1=testCompileClasspath,testRuntimeClasspath +empty=annotationProcessor,compileClasspath,runtimeClasspath,testAnnotationProcessor diff --git a/spec/fixtures/osv/gradle_osv/success_vulnerability_present_exception_added/build.gradle b/spec/fixtures/osv/gradle_osv/success_vulnerability_present_exception_added/build.gradle index 228cf77e..8195f8ca 100644 --- a/spec/fixtures/osv/gradle_osv/success_vulnerability_present_exception_added/build.gradle +++ b/spec/fixtures/osv/gradle_osv/success_vulnerability_present_exception_added/build.gradle @@ -9,3 +9,9 @@ repositories { dependencies { testImplementation group: 'com.google.guava', name: 'guava', version: '30.1-jre' } + +allprojects { + dependencyLocking { + lockAllConfigurations() + } +} \ No newline at end of file diff --git a/spec/fixtures/osv/gradle_osv/success_vulnerability_present_exception_added/gradle.lockfile b/spec/fixtures/osv/gradle_osv/success_vulnerability_present_exception_added/gradle.lockfile new file mode 100644 index 00000000..ace9001e --- /dev/null +++ b/spec/fixtures/osv/gradle_osv/success_vulnerability_present_exception_added/gradle.lockfile @@ -0,0 +1,11 @@ +# This is a Gradle generated file for dependency locking. +# Manual edits can break the build and are not advised. +# This file is expected to be part of source control. +com.google.code.findbugs:jsr305:3.0.2=testCompileClasspath,testRuntimeClasspath +com.google.errorprone:error_prone_annotations:2.3.4=testCompileClasspath,testRuntimeClasspath +com.google.guava:failureaccess:1.0.1=testCompileClasspath,testRuntimeClasspath +com.google.guava:guava:30.1-jre=testCompileClasspath,testRuntimeClasspath +com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=testCompileClasspath,testRuntimeClasspath +com.google.j2objc:j2objc-annotations:1.3=testCompileClasspath,testRuntimeClasspath +org.checkerframework:checker-qual:3.5.0=testCompileClasspath,testRuntimeClasspath +empty=annotationProcessor,compileClasspath,runtimeClasspath,testAnnotationProcessor diff --git a/spec/fixtures/processor/local_uri/expected_report.json b/spec/fixtures/processor/local_uri/expected_report.json index 9d12f994..6b8374d4 100644 --- a/spec/fixtures/processor/local_uri/expected_report.json +++ b/spec/fixtures/processor/local_uri/expected_report.json @@ -249,7 +249,7 @@ "passed": true, "running_time": 1.45, "scanner_name": "Trufflehog", - "version": "3.19.0", + "version": "3.21.0", "warn": { } } diff --git a/spec/fixtures/processor/remote_uri/expected_report.json b/spec/fixtures/processor/remote_uri/expected_report.json index bc8cc3ff..8ac0d61b 100644 --- a/spec/fixtures/processor/remote_uri/expected_report.json +++ b/spec/fixtures/processor/remote_uri/expected_report.json @@ -249,7 +249,7 @@ "passed": true, "running_time": 1.45, "scanner_name": "Trufflehog", - "version": "3.19.0", + "version": "3.21.0", "warn": { } } diff --git a/spec/fixtures/report_gradle_deps/bad_gradle_cant_parse/build.gradle b/spec/fixtures/report_gradle_deps/bad_gradle_cant_parse/build.gradle index 924cc350..cfc6199b 100644 --- a/spec/fixtures/report_gradle_deps/bad_gradle_cant_parse/build.gradle +++ b/spec/fixtures/report_gradle_deps/bad_gradle_cant_parse/build.gradle @@ -2,5 +2,12 @@ plugins { id 'java' } +allprojects { + dependencyLocking { + lockAllConfigurations() + } +} + repositories { - mavenCentr \ No newline at end of file + mavenCentr +} \ No newline at end of file diff --git a/spec/fixtures/report_gradle_deps/bad_gradle_cant_parse/gradle.lockfile b/spec/fixtures/report_gradle_deps/bad_gradle_cant_parse/gradle.lockfile new file mode 100644 index 00000000..8ccf21c9 --- /dev/null +++ b/spec/fixtures/report_gradle_deps/bad_gradle_cant_parse/gradle.lockfile @@ -0,0 +1,4 @@ +# This is a Gradle generated file for dependency locking. +# Manual edits can break the build and are not advised. +# This file is expected to be part of source control. +empty=annotationProcessor,compileClasspath,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath diff --git a/spec/fixtures/report_gradle_deps/normal/build.gradle b/spec/fixtures/report_gradle_deps/normal/build.gradle index 57068d94..8c57570c 100644 --- a/spec/fixtures/report_gradle_deps/normal/build.gradle +++ b/spec/fixtures/report_gradle_deps/normal/build.gradle @@ -10,4 +10,10 @@ dependencies { implementation group: 'org.apache.kafka', name: 'connect-transforms', version: '2.6.2' implementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.10.5.1' testImplementation group: 'org.testng', name: 'testng', version: '7.4.0' +} + +allprojects { + dependencyLocking { + lockAllConfigurations() + } } \ No newline at end of file diff --git a/spec/fixtures/report_gradle_deps/normal/gradle.lockfile b/spec/fixtures/report_gradle_deps/normal/gradle.lockfile new file mode 100644 index 00000000..0a0757b6 --- /dev/null +++ b/spec/fixtures/report_gradle_deps/normal/gradle.lockfile @@ -0,0 +1,18 @@ +# This is a Gradle generated file for dependency locking. +# Manual edits can break the build and are not advised. +# This file is expected to be part of source control. +com.beust:jcommander:1.78=testCompileClasspath,testRuntimeClasspath +com.fasterxml.jackson.core:jackson-annotations:2.10.5=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath +com.fasterxml.jackson.core:jackson-core:2.10.5=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath +com.fasterxml.jackson.core:jackson-databind:2.10.5.1=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath +com.github.luben:zstd-jni:1.4.4-7=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath +javax.ws.rs:javax.ws.rs-api:2.1.1=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath +org.apache.kafka:connect-api:2.6.2=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath +org.apache.kafka:connect-transforms:2.6.2=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath +org.apache.kafka:kafka-clients:2.6.2=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath +org.lz4:lz4-java:1.7.1=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath +org.slf4j:slf4j-api:1.7.30=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath +org.testng:testng:7.4.0=testCompileClasspath,testRuntimeClasspath +org.webjars:jquery:3.5.1=testCompileClasspath,testRuntimeClasspath +org.xerial.snappy:snappy-java:1.1.7.3=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath +empty=annotationProcessor,testAnnotationProcessor diff --git a/spec/lib/cyclonedx/report_gradle_deps_cyclonedx_spec.rb b/spec/lib/cyclonedx/report_gradle_deps_cyclonedx_spec.rb index 540842b1..5ea602e3 100644 --- a/spec/lib/cyclonedx/report_gradle_deps_cyclonedx_spec.rb +++ b/spec/lib/cyclonedx/report_gradle_deps_cyclonedx_spec.rb @@ -10,7 +10,7 @@ gradle_cyclonedx = Cyclonedx::ReportGradleDeps.new(scanner.report) components_object = gradle_cyclonedx.build_components_object - expect(components_object.size).to eq(61) + expect(components_object.size).to eq(14) expect(components_object).to include( { type: "library", diff --git a/spec/lib/salus/scanners/osv/gradle_osv_spec.rb b/spec/lib/salus/scanners/osv/gradle_osv_spec.rb index f050d9bc..159274ab 100644 --- a/spec/lib/salus/scanners/osv/gradle_osv_spec.rb +++ b/spec/lib/salus/scanners/osv/gradle_osv_spec.rb @@ -80,20 +80,6 @@ def stub_req_with_valid_response expect(scanner.report.to_h.fetch(:passed)).to eq(false) end - it 'should fail when vulnerable dependencies are found in multi build project' do - repo = Salus::Repo.new(File.join(fixture_path, 'multi_build_project')) - config_data = YAML.load_file( - File.join(fixture_path, 'multi_build_project/salus.yaml') - ) - scanner = Salus::Scanners::OSV::GradleOSV.new( - repository: repo, config: config_data["scanner_configs"]["GradleOSV"] - ) - stub_req_with_valid_response - scanner.run - - expect(scanner.report.to_h.fetch(:passed)).to eq(false) - end - it 'should pass when vulnerable dependencies found in build.gradle'\ ' have exceptions configured' do repo = Salus::Repo.new(File.join(fixture_path, @@ -162,37 +148,5 @@ def stub_req_with_valid_response expect(scanner.report.to_h.fetch(:passed)).to eq(true) end end - - context 'when given different gradle versions' do - let(:path_str) { "../../../../../spec/fixtures/osv/gradle_osv/gradle_versions/" } - let(:path_unsupported) { "unsupported_version" } - let(:path_v6) { "version_6" } - let(:path_v7) { "version_7" } - let(:fixture_path) { File.expand_path(path_str, __dir__) } - - it 'runs gradle version 7 successfully' do - repo = Salus::Repo.new(File.join(fixture_path, path_v7)) - scanner = Salus::Scanners::OSV::GradleOSV.new(repository: repo, config: {}) - stub_req_with_valid_response - scanner.run - expect(scanner.report.to_h.fetch(:passed)).to eq(true) - end - - it 'runs gradle version 6 successfully' do - repo = Salus::Repo.new(File.join(fixture_path, path_v6)) - scanner = Salus::Scanners::OSV::GradleOSV.new(repository: repo, config: {}) - stub_req_with_valid_response - scanner.run - expect(scanner.report.to_h.fetch(:passed)).to eq(true) - end - - it 'reports errors for unsupported gradle versions' do - repo = Salus::Repo.new(File.join(fixture_path, path_unsupported)) - scanner = Salus::Scanners::OSV::GradleOSV.new(repository: repo, config: {}) - stub_req_with_valid_response - scanner.run - expect(scanner.report.to_h.fetch(:passed)).to eq(false) - end - end end end diff --git a/spec/lib/salus/scanners/report_gradle_deps_spec.rb b/spec/lib/salus/scanners/report_gradle_deps_spec.rb index d034d5d2..3da33786 100644 --- a/spec/lib/salus/scanners/report_gradle_deps_spec.rb +++ b/spec/lib/salus/scanners/report_gradle_deps_spec.rb @@ -41,7 +41,7 @@ scanner.run dependencies = scanner.report.to_h.fetch(:info).fetch(:dependencies) - expect(dependencies.size).to eq(61) + expect(dependencies.size).to eq(14) expect(dependencies).to include( { dependency_file: "build.gradle",