Keep your dependencies up-to-date with gradle

This is an import task, e.g. nearly every 6 months major releases of frameworks are available or new vulnerabilities are found on a daily basis.

I’ll show you two gradle plugins which helps you that your software project won’t be left behind. The first one is gradle-version-plugin. This plugin discovers dependency updates. Just add this to your build.gradle:

plugins {
  id "com.github.ben-manes.versions" version "0.21.0"
}

With the task dependencyUpdates you get a simple text report of the project dependencies that are up-to-date or have upgrades.

./gradlew dependencyUpdates -Drevision=release

You can find the report in {projectDir}/build/dependencyUpdates/report.txt

------------------------------------------------------------
: Project Dependency Updates (report to plain text file)
------------------------------------------------------------

The following dependencies are using the latest release version:
 - com.github.ben-manes.caffeine:caffeine:2.7.0
...
The following dependencies have later release versions:
 - com.google.guava:guava [25.1-jre -> 28.0-jre]
     https://github.com/google/guava
...

The second plugin is dependency-check-gradle which helps you to monitor dependent libraries for known, published vulnerabilities.

plugins {
  id "org.owasp.dependencycheck" version "5.0.0"
}

dependencyCheckAnalyze generates a report in build/reports/dependency-check-report.html

./gradlew dependencyCheckAnalyze --info

In the report every dependency is listed with severity, cve count, confidence and evidence count.

Solid dependency management is a primary requirement. Dependency updates should be a regular step in your software development cycle.

Links
gradle-version-plugin
dependency-check-gradle