Some dependencies are located in different repositories, so before you try to add one make sure that it can be located in one of the repository you have listed. If it isn’t, read up on how to use other external repositories in Gradle’s documentation. Using dependencies. By themselves, dependencies are useless and just a bunch of weight.
You can work with Gradle dependencies in the diagram format. It might be helpful when you have a large project and want to see the whole picture of how dependencies (including the transitive ones) are connected inside the project.
- In the Gradle tool window, select a project, on the toolbar, click or select the Show Dependencies option from the context menu.
You can select the Show Dependecies Popup(Ctrl+Alt+U) option to open the graph in a separate window. To close the popup, press Escape.
- In the diagram window, IntelliJ IDEA displays all project dependencies including the transitive ones.
When you navigate to a dependency in a graph, IntelliJ IDEA displays its version, group and artifact IDs.
Use the diagram window toolbar to manage the diagram. You can change the size of a diagram, export it to a file, see only a part of the diagram you are interested in, and so on.
Change the visibility level
- The preceding example shows three key concepts to Gradle dependency management: configurations (compile), dependencies (org.springframework:spring-core:3.0.5), and repositories (mavenCentral). A “configuration” is a named grouping of dependencies. A Gradle build can have zero or more of them. A “repository” is a source of dependencies.
- Dependency Vulnerabilities Check Why project dependencies should be checked. JHipster uses many technologies, and the project is very careful at selecting them. But maybe the project missed one vulnerability in those many dependencies, or maybe you added or updated one dependency that triggered a new vulnerability.
You can change the visibility level and, for example, view dependencies that have a specific scope (compile, test, and so on).
Hold down Alt and move the cursor to zoom in on the parts of the diagram.
In Android and Kotlin projects IntelliJ IDEA supports only the default visibility level.
In the diagram window, select the project and click .
From the list, select the dependency scope you want to see. IntelliJ IDEA displays only the specified dependency scope.
Show path from selection to root
You can select dependencies and see how they are connected to the root.
In the diagram window, select a dependency for which you want to see the connection to a project. If you want to select several dependencies at once, hold down Shift and make the selection.
On the toolbar, click .
Show neighbors of the selected nodes
You can select dependencies and see what other dependencies are connected to the selected nodes. It might be helpful if you have a large diagram and want to focus on just a part of it.
In the diagram window, select a dependency you need. If you want to select several dependencies at once, hold down Shift and make the selection.
On the toolbar, click .
Search for a specific dependency in the graph
In the diagram window, press Ctrl+F to open the Diagram Elements popup.
Start typing a name of a dependency you want to find, select the one you need from the list of search results and press Enter. IntelliJ IDEA locates the needed dependency in the graph.
Why project dependencies should be checked
JHipster uses many technologies, and the project is very careful at selecting them. But maybe the project missed one vulnerability in those many dependencies, or maybe you added or updated one dependency that triggered a new vulnerability.
According to OWASP Top 10 Most Critical Web Application Security Risks, using Components (ie. dependencies) with known vulnerabilities is ranked 9th, and there are many known stories of security breaches provided by (malicious or not) third-party dependencies.
Why the dependency check is not provided by default by JHipster
Proposing a dependency check by default in JHipster build has been discussed a couple of times (#6329, #8191). To summarise, it is complicated to have a realistic report (removing false-positive) and context dependent (security is always a trade off between the actual risk/criticity and the effort to prevent it).
However we highly recommend using a dependency analysis tool such as Dependabot or Snyk if you are using JHipster in production.
What to do do if you detect a vulnerability in one of JHipster’s dependencies
If you found a vulnerability in one of JHipster’s dependencies, please check if there is not an existing issue already opened on that vulnerability.
If nothing is mentioned, please send us a security vulnerability report privately. Please read our security policy on how to send one. Include steps to reproduce the exploit, security report, blog post, etc.
Be sure that the JHipster team is committed to provide a high-quality, enterprise-ready and secure development stack and that this issue will be a top priority for us.
Checking on the Server side
To check if a Java dependency has a known Common Vulnerabilities and Exposures (aka. CVE), visit the NIST National Vulnerability Database which maintains an up-to-date list.
The OWASP project provides Maven and Gradle plugins to check the whole dependency chain automatically, generate a report and even block a build (not recommended, it can be very aggressive when doing continuous integration).
Here is the documentation explaining how to read the dependency check report.
Using Maven
See the OWASP Maven Dependency Check plugin documentation
Add the owasp dependency-check plugin:
Running ./mvnw verify will generate a dependency check report under the target directory.
Using Gradle
Gradle Check Unused Dependencies Linux
See the OWASP Gradle Dependency Check plugin documentation
Update the build.gradle file to apply the OWASP dependency-check-gradle plugin.
Running ./gradlew dependencyCheckAnalyze generates a dependency check report inside the build/report directory.
Updating continuous integration builds with a dependency check is done by running ./gradlew check -Pstrict-security
Checking on the client side
Gradle Check Unused Dependencies Download
Since version 6, NPM includes a security audit by default for each dependency installation. Check the About security audits page for more information.
Comments are closed.