Add support for configuring multiple Analyze tasks distinctly.#487
Add support for configuring multiple Analyze tasks distinctly.#487ThomGeG wants to merge 1 commit intodependency-check:mainfrom
Conversation
ThomGeG
force-pushed
the
484
branch
2 times, most recently
from
e2f7d99 to
46f9661
Compare
Certain key configurations have been moved to task inputs w/ the existing extension providing default values. This allows users to register multiple tasks with distinct configurations so they can produce multiple reports as needed.
|
Sorry for the delay in review - I've been away a bit. I understand the intent - but wouldn't all of the properties form |
There was a problem hiding this comment.
Pull request overview
This PR adds support for configuring multiple dependency-check analysis tasks with distinct settings, addressing issue #484. Previously, all configuration was handled at the extension level, making it impossible to have multiple analysis tasks scanning different dependency scopes with different configurations (e.g., different suppression files, output directories, or failure thresholds).
Key changes:
- Added task-level input properties to
AbstractAnalyzefor key configuration settings (scanConfigurations, skipConfigurations, skipTestGroups, scanDependencies, scanBuildEnv, failBuildOnCVSS, suppressionFile, suppressionFiles) - Updated
AnalyzeandAggregatetasks to use task-level properties instead of extension-level config - Properties are initialized with convention values from the extension, allowing global defaults while supporting task-level overrides
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy | Added task-level input properties for configuration settings and updated methods to use these properties instead of extension config |
| src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Analyze.groovy | Updated to use task-level scanDependencies and scanBuildEnv properties |
| src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Aggregate.groovy | Updated to use task-level scanDependencies and scanBuildEnv properties |
| src/test/resources/multipleTasks.gradle | Test configuration demonstrating multiple analysis tasks with distinct configurations |
| src/test/groovy/org/owasp/dependencycheck/gradle/DependencyCheckConfigurationSelectionIntegSpec.groovy | Integration test verifying that multiple tasks generate separate reports for different dependency scopes |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @Input | ||
| @Optional | ||
| final Property<String> suppressionFile | ||
|
|
||
| /** | ||
| * A list of file paths to XML suppression files. | ||
| * | ||
| * <p>These can be local file paths, URLs to hosted | ||
| * suppression files, or even references to files on the class path.</p> | ||
| * | ||
| * @see #suppressionFile | ||
| * @see org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension#suppressionFiles | ||
| */ | ||
| @Input | ||
| @Optional | ||
| final ListProperty<String> suppressionFiles |
There was a problem hiding this comment.
The suppressionFile and suppressionFiles task properties are defined and initialized but are not actually used. The initializeSettings method in ConfiguredTask (line 72) uses config.suppressionFile and config.suppressionFiles directly instead of the task-level properties. AbstractAnalyze should override initializeSettings to use these task-level properties, similar to how it needs to handle the other task-level properties like scanConfigurations, skipConfigurations, etc. Without this override, users cannot configure different suppression files for different tasks.
| * | ||
| * <p>Defaults to <code>false</code>.</p> | ||
| * | ||
| * @see org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension#scanDependencies |
There was a problem hiding this comment.
The @see tag incorrectly references 'scanDependencies'. It should reference 'scanBuildEnv' instead, as this documentation is for the scanBuildEnv property.
| * @see org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension#scanDependencies | |
| * @see org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension#scanBuildEnv |
| } | ||
|
|
||
| def dependencyCheckAnalyzeBuild = tasks.register('dependencyCheckAnalyzeBuild', org.owasp.dependencycheck.gradle.tasks.Analyze) { | ||
| description = 'Runs a dependency-check analysis on just the test configuration.' |
There was a problem hiding this comment.
The description incorrectly states 'Runs a dependency-check analysis on just the test configuration.' but this task analyzes the build environment, not the test configuration. The description should be updated to reflect that this task scans the build environment dependencies.
| description = 'Runs a dependency-check analysis on just the test configuration.' | |
| description = 'Runs a dependency-check analysis on the build environment dependencies.' |
Closes #484