Skip to content

Dependency Audit

Jump to bottom
Sia edited this page May 31, 2026 · 2 revisions

Dependency Audit

Runs Gradle's built-in dependencies task and shows you a flat list of group:name:version coordinates plus the raw output.

View at /projects/{id}/deps (project detail → "🧩 의존성 audit").

Why

Before shipping a release you typically want to:

  • Verify which versions of Compose / OkHttp / Hilt actually got resolved (esp. after a transitive bump).
  • Spot accidental jumps to alpha/beta artifacts.
  • Hand a list off to a CVE scanner.

The audit page automates the first part — it picks a sensible default configuration (releaseRuntimeClasspath) and walks the dependency tree in 10–90 seconds.

CVE matching is not done — see the roadmap below.

How it works

DependencyAudit.audit(projectId, moduleName, configuration):

  1. Locates ./gradlew in workspace.projectRoot(projectId).
  2. Spawns: 
    ./gradlew :{module}:dependencies --configuration <cfg> --quiet
    with GRADLE_OPTS=-Dorg.gradle.daemon=false -Dorg.gradle.parallel=false (single-shot, no daemon resident in memory).
  3. 90 s timeout; output capped at 200 KB.
  4. Regex-parses each line for group:name:version (with version conflict resolution arrows … -> X.Y.Z honoured).

Reading the result

The page renders three pieces:

  1. Status banner — success badge with run time, or red error banner with the captured stderr.
  2. Coordinates table — distinct group / name / version triples in parse order.
  3. Raw output (collapsed) — the entire Gradle stdout, capped at 200 KB.

Module / configuration overrides

The form lets you change two things before running:

  • Module — defaults to the project's registered moduleName (usually app). Library projects use lib, multi-module repos use any other module name.
  • Configuration — defaults to releaseRuntimeClasspath. Common alternatives: debugRuntimeClasspath (Debug build sees different flavor mixins), testRuntimeClasspath, androidTestRuntimeClasspath.

What's missing (roadmap)

  • CVE matching. Integrate osv-scanner (Go) or the OWASP dependencyCheckAnalyze Gradle plugin and tag each row with known advisory ids.
  • History. Currently each call re-runs Gradle. Caching the previous result with a timestamp would let you diff "what changed since last release".
  • Per-coord links. Linking each group:name to Maven Central / JCenter search would speed up "what's the latest stable".

Audit log

No dedicated audit row — depending on how often you scan, the noise would overwhelm the audit log. The underlying gradle dependencies invocation is visible only in the server stdout log.

Clone this wiki locally