Keep your dependencies up-to-date with gradle
This is an import task, e.g. nearly every 6 months major releases of frameworks are available or new vulnerabilities are found on a daily basis.
I’ll show you two gradle plugins which helps you that your software project won’t be left behind. The first one is gradle-version-plugin. This plugin discovers dependency updates. Just add this to your build.gradle:
plugins {
id "com.github.ben-manes.versions" version "0.21.0"
}With the task dependencyUpdates you get a simple text report of the project dependencies that are up-to-date or have upgrades.
./gradlew dependencyUpdates -Drevision=releaseYou can find the report in {projectDir}/build/dependencyUpdates/report.txt
------------------------------------------------------------
: Project Dependency Updates (report to plain text file)
------------------------------------------------------------
The following dependencies are using the latest release version:
- com.github.ben-manes.caffeine:caffeine:2.7.0
...
The following dependencies have later release versions:
- com.google.guava:guava [25.1-jre -> 28.0-jre]
https://github.com/google/guava
...
The second plugin is dependency-check-gradle which helps you to monitor dependent libraries for known, published vulnerabilities.
plugins {
id "org.owasp.dependencycheck" version "5.0.0"
}dependencyCheckAnalyze generates a report in build/reports/dependency-check-report.html
./gradlew dependencyCheckAnalyze --infoIn the report every dependency is listed with severity, cve count, confidence and evidence count.
Solid dependency management is a primary requirement. Dependency updates should be a regular step in your software development cycle.