Skip to main content

A tool that scans dependencies in your Gradle project and warns you about potential security issues

Project description

Gradle Bodyguard

What is this?

Complete blog post to come. Stay tunned!

Supply chain attacks are a reality and the JVM ecosystem is not safe.

There are several tools out there that help developers from JVM-based languages to protect against supply chain attacks - like Dependabot, Snyk, DependencyCheck - and others.

However, when talking particularly about Gradle projects things start to become a little more tricky, because (but not only) :

  • We are insterested not only in the dependencies that our project declares, but also in the transitive ones (actually, transitive dependencies are the main attack vector here);

  • Is quite common that Gradle projects - specially multi-module ones - manage dependencies either with Project extension API or with buildSrc. In these two cases, tools like Dependabot - which parses your Gradle files in order to figure out dependencies - get confused or eventually don't find the dependencies;

  • Gradle plugins for such type of tools eventually are available, but this means another plugin in your Gradle build;

  • OWASP DependencyCheck is quite trick to be used in Android projects.

gradle-bodyguard was born to tackle these issues. Written in Python and running as a CLI tool, it requires no additional plugins in your project and exercises your Gradle build - regardless your project layout - and learns about the dependencies that Gradle already knows, even the transitive ones.

gradle-bodyguard then matches these artifacts against OSS Index and outputs the results for you. In this way, you can learn (and automate around) when some dependency introduces a new disclosed CVE in your build, particularly at CI level.

Because OSSIndex is free to use, this tool was possible to be made. 😎

Setup

Install with pip. Requires Python 3.8.+ or newer.

→ pip install gradle-bodyguard

Using

The most basic usage takes only a path to the target Gradle project you want to examine:

→ gradle-bodyguard -p <path-to-gradle-project>

You should see results in your terminal screen 🔥

You also can have a json version of the security report. This file is only generated when the tool find potential vulnerabilities :

→ gradle-bodyguard -p <path-to-gradle-project> -d <path-to-folder>

The gradle-bodyguard-report.json file will be stored at folder

If you realise that some CVEs actually don't impact your project at all, you can just ignore them and exclude such CVEs from the results

→ gradle-bodyguard -p <path-to-gradle-project> -i <CVE-ID>,<CVE-ID>,<CVE-ID>

See usage for a full list of options

→ gradle-bodyguard --help

Using as a Github Action

Coming soon 🔥

Limitations

As mentioned previously, gradle-bodyguard is backed by the amazing OSS Index, offered by Sonatype. If you were not aware of this product until now, you should have a look.

One limitation that gradle-bodyguard has is the following : this tool does not require your OSS Index API TOKEN for authenticated REST API calls; bodyguard avoids that by batching the dependencies computed in the Gradle project and querying 125 Maven coordinates per HTTP request - since this option is available at all.

This should work fine for most of small/medium projects out there(up to 500 dependencies including the transitive ones), and therefore the usage of the tool is a bit simpler as well.

If your project consumes way more dependencies than aforementioned and you started to see 429s in logs, you must then provide your API_TOKEN

→ gradle-bodyguard --project my-project --token my-ossindex-api-token

Practical Experiment using Android open-source apps

Do you want to learn how gradle-bodyguard can help you to fight back against supply-chain attacks?

Please, checkout this experiment and bring me your feedback!

Credits

I'd like to thank in special :

  • Python Poetry because it allowed a newcomer in the Python ecosystem to build and ship his first package on Pypi with an amazing developer experience
  • Sonatype for providing OSSIndex (and its companion REST API) for free to the open-source community

Author

Coded by Ubiratan Soares (follow me on Twitter)

License

The MIT License (MIT)

Copyright (c) 2020 Dotanuki Labs

Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

gradle-bodyguard-0.0.4.tar.gz (11.5 kB view details)

Uploaded Source

Built Distribution

gradle_bodyguard-0.0.4-py3-none-any.whl (13.5 kB view details)

Uploaded Python 3

File details

Details for the file gradle-bodyguard-0.0.4.tar.gz.

File metadata

  • Download URL: gradle-bodyguard-0.0.4.tar.gz
  • Upload date:
  • Size: 11.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.0.8 CPython/3.8.3 Linux/5.3.0-1022-azure

File hashes

Hashes for gradle-bodyguard-0.0.4.tar.gz
Algorithm Hash digest
SHA256 712472991f34cebc7fc508c29db657f83d029fb77b40ab446494539e4671c89e
MD5 2ea547b7d9bf4865df85f586922b1a93
BLAKE2b-256 e6247710a5c444e271b0d10221772af1e3f641d5cf8834ddd5708ecf0d8e08ba

See more details on using hashes here.

File details

Details for the file gradle_bodyguard-0.0.4-py3-none-any.whl.

File metadata

  • Download URL: gradle_bodyguard-0.0.4-py3-none-any.whl
  • Upload date:
  • Size: 13.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.0.8 CPython/3.8.3 Linux/5.3.0-1022-azure

File hashes

Hashes for gradle_bodyguard-0.0.4-py3-none-any.whl
Algorithm Hash digest
SHA256 57dbefe0c2b4f051667b5b57285bc329f1889edc8c523d628d08c2ccb76e94a0
MD5 87e2a838d4fa8dd4ff297b9a4c8431e5
BLAKE2b-256 3a9117644a9314a3ab7f1d5adb0928e7a6bfac375225957e9908d63e8b9b2f25

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page