-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathbuild.gradle
More file actions
77 lines (69 loc) · 2.61 KB
/
Copy pathbuild.gradle
File metadata and controls
77 lines (69 loc) · 2.61 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
// SPDX-License-Identifier: Apache-2.0 AND GPL-3.0-or-later
import org.gradle.api.tasks.bundling.AbstractArchiveTask
import org.gradle.api.artifacts.dsl.LockMode
buildscript {
apply from: 'versions.gradle'
repositories {
google()
mavenCentral()
gradlePluginPortal()
}
configurations.classpath {
resolutionStrategy.activateDependencyLocking()
}
dependencies {
classpath "com.android.tools.build:gradle:${agp_version}"
// OWASP dependency-check - used by local dependency CVE audits to surface
// known CVEs across the runtime classpath. ROADMAP iter-22 [S274].
classpath "org.owasp:dependency-check-gradle:${dependency_check_version}"
}
}
wrapper {
distributionType = Wrapper.DistributionType.BIN
}
allprojects {
dependencyLocking {
lockMode = LockMode.STRICT
lockAllConfigurations()
}
repositories {
google()
mavenCentral()
maven { url = uri("https://jitpack.io") }
}
tasks.withType(AbstractArchiveTask).configureEach {
preserveFileTimestamps = false
reproducibleFileOrder = true
}
gradle.projectsEvaluated {
tasks.withType(JavaCompile).tap {
configureEach {
options.compilerArgs << "-Xlint:unchecked" << "-Xlint:deprecation"
}
}
}
}
// OWASP dependency-check aggregate task. Configured at the root so maintainers can run
// `./gradlew dependencyCheckAggregate` once and capture results from every module.
// Suppression file documents intentional ignores; format default 'HTML,SARIF' so local
// release/audit runs get both human and machine-readable artifacts. ROADMAP iter-22 [S274].
apply plugin: 'org.owasp.dependencycheck'
def dependencyCheckFailBuildOnCvss = Float.parseFloat(
(findProperty('dependencyCheckFailBuildOnCvss') ?: '11.0').toString())
dependencyCheck {
formats = ['HTML', 'SARIF']
// Ad-hoc local runs default to report-only (11.0). The maintainer release scripts
// always pass -PdependencyCheckFailBuildOnCvss=9.0 and preserve both reports.
failBuildOnCVSS = dependencyCheckFailBuildOnCvss
// Suppress vendored-AAR false positives via XML at this path; create on first audit pass.
suppressionFile = file('config/owasp-suppressions.xml').exists()
? file('config/owasp-suppressions.xml').toString()
: null
skipTestGroups = true
nvd {
// Set NVD_API_KEY locally for higher rate limits; falls back to anonymous below.
if (System.getenv('NVD_API_KEY')) {
apiKey = System.getenv('NVD_API_KEY')
}
}
}