Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to configure this action to ignore plugin dependencies? #197

Closed
andreas-borglin opened this issue Apr 24, 2024 · 4 comments
Closed

How to configure this action to ignore plugin dependencies? #197

andreas-borglin opened this issue Apr 24, 2024 · 4 comments
Labels
question Further information is requested

Comments

@andreas-borglin
Copy link

Hi there.

We've just started using this action to submit dependency information to GitHub, which is great!

However, we have some problems that this action (or rather the underlying Gradle plugin I suppose) is reporting dependencies for the Gradle plugins in the project, which are irrelevant for our use cases where we want to track vulnerabilities for the application dependencies that are defined via Gradle via the implementation configuration etc, not the internals of the build system such as what plugins are used.

Below are some examples in the generated dependency report,

"io.spring.gradle:dependency-management-plugin:1.1.0" : {
    "package_url" : "pkg:maven/io.spring.gradle/dependency-management-plugin@1.1.0",
    "relationship" : "indirect",
    "dependencies" : [ ]
  },
"org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:3.1.1" : {
    "package_url" : "pkg:maven/org.sonarsource.scanner.gradle/sonarqube-gradle-plugin@3.1.1",
    "relationship" : "direct",
    "dependencies" : [ "org.sonarsource.scanner.api:sonar-scanner-api:2.16.0.226" ]
  },

These are defined in the plugins block in our build.gradle.kts file.

Is there a way to configure the action to not report on plugins, or at a minimum, mark them with the development scope? At the moment they are not reported with any scope making it impossible to distinguish them from real runtime dependencies.

Thanks in advance, Andreas
@andreas-borglin
Copy link
Author

Btw in the example above the project is setup with Gradle 7.4.2 and it's using the v3 tag for this action.

@bigdaz
Copy link
Member

bigdaz commented Apr 24, 2024

There's not (currently) any way to ignore all plugin dependencies for your build, and the dependency-submission action is not able to differentiate between "development" and "runtime" dependencies.

But you can choose which projects and/or configurations to include/exclude when generating the dependency graph. See the documentation here.

@bigdaz bigdaz added the question Further information is requested label Apr 24, 2024
@bigdaz bigdaz closed this as completed Apr 24, 2024
@andreas-borglin
Copy link
Author

Thanks for the reply.

Yes sorry I forgot to mention that I have tried with DEPENDENCY_GRAPH_EXCLUDE_PROJECTS: ':buildSrc' (also directly via the Gradle plugin locally) and it did not make any difference for this case.

I will keep testing with variations of the flags to see if I can get it to work somehow.

@bigdaz
Copy link
Member

bigdaz commented Apr 24, 2024

You need to realize that it's where the dependencies are resolved that matters, not where they are declared. So if a plugin is applied to all projects, then it won't be possible to exclude it via project.

If you can generate a build scan then that will give you a good feel for which resolved configurations contain the undesirable dependency. If not, try running the dependencies and buildEnvironment tasks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bigdaz @andreas-borglin