gradle/actions
1
0
Fork 0
mirror of https://github.com/gradle/actions.git synced 2025-04-21 18:29:18 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix relative links

Browse Source
This commit is contained in:
Daz DeBoer 2024-04-04 16:32:04 -06:00 committed by GitHub
parent f04af21dd8
commit 5b2e9775ee
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
docs/dependency-submission-faq.md
View File

@ -1,7 +1,7 @@
# Dependency submission FAQ
Implementing a `dependency-submission` workflow for your repository is documented in the
[core documentation](./dependency-submission.md).
[core documentation](dependency-submission.md).
But getting it working is the easy part: the dependency alerts you recieve can be confusing and surprising.
Here are some common questions answered.
@ -25,13 +25,13 @@ We have long-term plans to improve the first point, and we are working with GitH
### My repository dependency graph contains a dependency that isn't anywhere in my build. Why is the `dependency-submission` action reporting dependencies I'm not using?
If you see a particular dependency version reported in the dependency graph, it means your build is resolving that dependency at some point.
You may be surprised what transitive dependencies are brought in by declared dependencies and applied plugins in your build.
[See here for a HOW-TO](https://github.com/gradle/actions/blob/main/docs/dependency-submission.md#resolving-a-dependency-vulnerability) on getting the bottom of why the dependency is being resolved.
[See here for a HOW-TO](dependency-submission.md#resolving-a-dependency-vulnerability) on getting the bottom of why the dependency is being resolved.
### I see multiple versions of the same dependency in the dependency graph, but I'm only declaring a single version in my build. Why is the action reporting dependency versions I'm not using?
This is almost certainly because the dependency in question is actually being resolved with different versions in different dependency configurations.
For example, you may have one version brought in as a plugin dependency (resolved in the `classpath` configuration) and another used directly as a code dependency (resolved in the `compileClasspath` configuration).
[See here for a HOW-TO](https://github.com/gradle/actions/blob/main/docs/dependency-submission.md#resolving-a-dependency-vulnerability) on getting the bottom of why the dependency is being resolved.
By far the easiest way is to publish a Build Scan® for the workflow run: [this is easily achieved with some additional action configuration](https://github.com/gradle/actions/blob/main/docs/dependency-submission.md#publishing-a-develocity-build-scan-from-your-dependency-submission-workflow).
[See here for a HOW-TO](dependency-submission.md#resolving-a-dependency-vulnerability) on getting the bottom of why the dependency is being resolved.
By far the easiest way is to publish a Build Scan® for the workflow run: [this is easily achieved with some additional action configuration](dependency-submission.md#publishing-a-develocity-build-scan-from-your-dependency-submission-workflow).
### I'm not seeing any security vulnerabilities for any of my dependencies. How can I be sure this is working?
First check that [Dependabot Alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) are enabled for your repository.
@ -48,8 +48,8 @@ It doesn't matter how the dependencies are declared: the ones being resolved by
Many people are surprised to see what dependencies are actually being resolved when they run their builds, but I'm yet to see a case where the dependencies being reported are actually incorrect.
Please [follow the instructions here](https://github.com/gradle/actions/blob/main/docs/dependency-submission.md#finding-the-source-of-a-dependency-vulnerability) to identify the source of the dependency version that is being reported.
Please [follow the instructions here](dependency-submission.md#finding-the-source-of-a-dependency-vulnerability) to identify the source of the dependency version that is being reported.
Once you have worked out why it is being resolved, you can either [update the dependency version](https://github.com/gradle/actions/blob/main/docs/dependency-submission.md#updating-the-dependency-version)
or [exclude it from the submitted dependency graph](https://github.com/gradle/actions/blob/main/docs/dependency-submission.md#limiting-the-dependencies-that-appear-in-the-dependency-graph).
Once you have worked out why it is being resolved, you can either [update the dependency version](dependency-submission.md#updating-the-dependency-version)
or [exclude it from the submitted dependency graph](dependency-submission.md#limiting-the-dependencies-that-appear-in-the-dependency-graph).