Created
November 29, 2017 05:56
-
-
Save milo-minderbinder/f418bfec56c2385d9883ef43f0777d17 to your computer and use it in GitHub Desktop.
Gradle init script that adds a new task to all projects, `checkBlacklist`, which can be used to check if any of the project's resolvable dependencies are included in a configurable blacklist.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * This init script modifies the Gradle project by adding a new task to all projects, `checkBlacklist`, which | |
| * can be used to check if any of the project's resolvable dependencies are included in a configurable blacklist. | |
| * | |
| * To add it dynamically with a Gradle build command, add the `-I` option with the path to this file, e.g.: | |
| * > gradle -I /path/to/blacklist.gradle checkBlacklist | |
| */ | |
| gradle.allprojects { | |
| task checkBlacklist() { | |
| group 'Security' | |
| ext { | |
| // File to write blacklist violations to | |
| // example: file(new File(rootProject.buildDir, "reports/${project.name}-checkBlacklist.txt")) | |
| reportFile = file(new File(project.buildDir, 'reports/blacklisted-dependencies.txt')) | |
| // Whether to fail build if checkBlacklist finds blacklisted dependencies | |
| failBuildOnViolations = true | |
| // Configurations to check for blacklisted dependencies (Default: all configurations) | |
| // example: ['compile', 'providedCompile', 'runtime'] | |
| includeConfigurations = null | |
| // Configurations to exclude from blacklisted dependencies check | |
| // example: project.configurations.names.findAll { it.startsWith('test') } | |
| excludeConfigurations = [] as Set<String> | |
| // Closure to target blacklisted dependencies | |
| // example: { Dependency d -> !d.group.startsWith('org.apache.struts') } | |
| dependencyFilter = { Dependency d -> | |
| def rules = [ | |
| { (d.group ==~ /^org\.springframework\..*/) && (d.name ==~ /.*actuator.*/) }, | |
| //{ d.group.startsWith('org.') }, | |
| { d.group.startsWith('org.apache.struts') } | |
| ] | |
| rules.any { r -> r(d) } | |
| } | |
| } | |
| afterEvaluate { p -> | |
| p.checkBlacklist { | |
| includeConfigurations = includeConfigurations ?: project.configurations.names | |
| Set<String> invalidConfigs = (includeConfigurations + excludeConfigurations) - project.configurations.names | |
| if (invalidConfigs) | |
| logger.warn "includeConfigurations & excludeConfigurations contain invalid name(s): ${invalidConfigs}" | |
| Set<String> filteredConfigs = includeConfigurations - excludeConfigurations | |
| logger.info("Included configurations:\n\t{}", filteredConfigs.join('\n\t')) | |
| logger.info("Excluded configurations:\n\t{}", | |
| (project.configurations.names - filteredConfigs).join('\n\t')) | |
| if (filteredConfigs.containsAll(project.configurations.names)) | |
| description "Reports all blacklisted dependencies" | |
| else | |
| description "Reports blacklisted dependencies in ${filteredConfigs}" | |
| doLast { | |
| Set<Dependency> filteredDependencies = project.configurations.findAll { c -> | |
| boolean canBeResolved = c.metaClass.respondsTo(c, 'isCanBeResolved') ? c.isCanBeResolved() : true | |
| canBeResolved && (c.name in filteredConfigs) | |
| }.collectMany { Configuration c -> | |
| c.dependencies.toList().findAll(dependencyFilter) | |
| } | |
| if (filteredDependencies) { | |
| String msg = "${p} has blacklisted dependencies: \n\t" + filteredDependencies.collect { | |
| "${it.group}:${it.name}:${it.version}" | |
| }.join('\n\t') | |
| logger.info("Writing dependency blacklist violations to: ${reportFile}") | |
| file(reportFile.parent).mkdirs() | |
| reportFile.text = msg | |
| if (failBuildOnViolations) | |
| throw new GradleException(msg) | |
| else | |
| logger.warn(msg) | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment