gradle/actions
1
0
Fork 0
mirror of https://github.com/gradle/actions.git synced 2025-04-21 18:29:18 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add 'finding dependency source' section to docs

Browse Source
This commit is contained in:
Daz DeBoer 2024-01-31 11:32:47 -07:00 committed by GitHub
parent ec92e82947
commit 91e30c41b6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 25 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
dependency-submission/README.md
View File

@ -1,4 +1,4 @@
# The `dependency-submission` action
<img width="1102" alt="image" src="https://github.com/gradle/actions/assets/179734/d5922f72-852e-408a-b5c7-b0aeb6437566"># The `dependency-submission` action
The `gradle/actions/dependency-submission` action provides the simplest (and recommended) way to generate a
dependency graph for your project. This action will attempt to detect all dependencies used by your build
@ -74,6 +74,30 @@ jobs:
dependency-graph: generate-and-upload
```
## Finding the source of a dependency vulnerability
Once you have submitted a dependency graph, you may receive Dependabot Alerts warning about vulnerabilities in
dependencies of your project. In the case of transitive dependencies, it may not be obvious how that dependency is
used or what you can do to address the vulnerability alert.
The first step to investigating a Dependabot Alert is to determine the source of the dependency. One of the best ways to
do so is with a free Gradle Develocity Build Scan®, which makes it easy to explore the dependencies resolved in your build.
<img width="1069" alt="image" src="https://github.com/gradle/actions/assets/179734/3a637dfd-396c-4e94-8332-dcc6eb5a35ac">
In this example, we are searching for dependencies matching the name 'com.squareup.okio:okio' in the _Build Dependencies_ of
the project. You can easily see that this dependency originates from 'com.github.ben-manes:gradle-versions-plugin'.
Knowing the source of the dependency can help determine how to deal with the Dependabot Alert.
Note that you may need to look at both the _Dependencies_ and the _Build Dependencies_ of your project to find the
offending dependency.
### When you cannot use Build Scans
If publishing a free Build Scan to https://scans.gradle.com isn't an option, and you don't have access to a private [Develocity
server](https://gradle.com/) for your project, you can use the GitHub Dependency Graph Gradle Plugin to generate a report
listing the dependencies resolved in your build.
## Limiting the scope of the dependency graph
By default, the `dependency-submission` action attempts to detect all dependencies declared and used by your Gradle build.