Releases: sonatype-nexus-community/scan-gradle-plugin
Reduce noise in Nexus IQ reports for Android projects and module selection
-
Android projects in Nexus IQ can now benefit of the new optional configuration
dirExcludeswhich allows to exclude the internal JAR files from the AAR scanning and evaluation, meaning no unknown components making extra noise. The recommended value (although not default) isdirExcludes = '**/classes.jar,**/annotations.zip,**/lint.jar,**/internal_impl-*.jar'. -
Another optional option was added to exclude specific modules from Nexus IQ evaluation in multi-module projects.
When having a multi-module project, like this:
sample-project
--> sub-module-1
--> sub-module-2
--> sub-module-3
A new property will allow to exclude some of those from scan and evaluation in Nexus IQ:
modulesExcluded = ['sub-module-1', 'sub-module-2']
Send plugin metadata to Nexus IQ
Allows to measure how much this plugin is used by Nexus IQ customers.
The more it's used, the better :)
Support for Projects with Circular Dependencies
Fix #76 - The plugin processes correctly projects with circular dependencies for both OSS Index and Nexus IQ.
Fix ConcurrentModificationException for Nexus IQ scans
Fix #74, a ConcurrentModificationException was being thrown when scanning a multi-module Gradle project with Nexus IQ scans.
Include Runtime Dependencies
Same as the Sonatype CLM for Maven, the Gradle plugin will include both compile and runtime dependencies.
There are differences between "api" and "implementation" configurations: https://docs.gradle.org/current/userguide/java_library_plugin.html#sec:java_library_separation
Let's say we have "Project A" with two dependencies:
Project A
-> Dependency 1 (api)
-> Dependency 2 (implementation)
Before this version this is how "Project B" would look like:
Project B
-> Project A
-> Dependency 1
Starting from this version this is how "Project B" will look like:
Project B
-> Project A
-> Dependency 1
-> Dependency 2
Even though runtime dependencies are not available as transitive ones in consumer projects (B on the example) they end up being present in the final package or deployment so any vulnerability they might have would also be in the application; therefore we consider it was important to include this kind of dependencies as default.
Fix InnerSource for SNAPSHOT dependencies
InnerSource dependencies with SNAPSHOT versions will now be properly identified by Nexus IQ Server. No extra config is needed for this.
Java 16 Support
Dependencies have been updated so this plugin works with projects using libraries compiled with Java 16.
Store Nexus IQ Server evaluation results in a JSON file
Brings a feature from the Maven plugin that allows saving the Nexus IQ Server evaluation results in a JSON file so those can be used by automated tools/integrations.
The new field resultFilePath allows to indicate the file path to use.
Fix proxy support for OSS Index
The usual support for using a proxy when connecting to OSS Index is back to normal, using the same configuration:
ossIndexAudit {
proxyConfiguration {
protocol = '<http|https>'
host = '<some-host>'
port = <some-port>
}
}
InnerSource Insight for Nexus Lifecycle
Nexus Lifecycle customers now can benefit from InnerSource Insight evaluation reports without any extra setup required!
For more details on InnerSource Insight please read: https://help.sonatype.com/iqserver/reporting/application-composition-report/innersource-insight
Setup for quick demo
- A Gradle project
gradle-producerwas scanned using IQ with lots of dependencies (acts as the InnerSource producer). - A Gradle project
gradle-consumerdepends ongradle-producerdirectly and contains another direct dependencycom.squareup.retrofit2 : retrofit : 2.9.0(which brings two transitive dependencies).
Scanning gradle-consumer before this version
gradle-producer is shown as an unknown component and all transitive dependencies are blended together.
Scanning gradle-consumer from this version
gradle-producer is shown as a known InnerSource component and the transitive dependencies it brings are grouped below this component to differentiate them from the ones related to gradle-consumer.