Find vulnerabilities in Java or Kotlin with Gradle
You scan Java or Kotlin code in Gradle repositories using the SCA agent command-line interface or the CI integrations.
For packaging instructions for Veracode Static Analysis, see Java packaging.
The requirements for running a scan and reviewing results for Kotlin repositories are the same as the requirements for Java repositories.
For packaging instructions for Veracode Static Analysis, see Packaging Kotlin applications.
Scan your code
You can scan any code repository to which you have access and meet the requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:
git clone https://github.com/veracode/example-java-gradle
After you add a srcclr.yml file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your Gradle code. Some scan directives are specific to Gradle projects.
Before you begin:
- Meet the requirements for the Veracode SCA agent.
- Have access to the Gradle repository.
- Use Gradle version 8 or earlier.
- Have the Gradle executable installed in your path or include the
gradlewwrapper file in the project repository. - Include the
build.gradlefile in the directory where you perform the scan. - In
~/.gradle/gradle.properties, ensure you properly set up any Nexus servers or authentications to successfully compile code. - Be able to run the
gradle dependenciescommand from the root of the project where you perform the scan. - If access to maven.apache.org is restricted, set the
SRCCLR_GRADLE_DEP_TREE_COLLECTORenvironment variable totrue.
The Veracode SCA agent runs a specific command to identify the dependencies and their versions in your project. To test that the agent can build the project before scanning, run:
./gradlew projects classes
To complete this task:
At the command line, run the scan command pointed to the directory of the Gradle repository. For example:
srcclr scan path/to/{project_folder}
To scan code repositories hosted in Git, use the --url argument at the command line.
To view more verbose output during the scan process, add the --loud argument:
srcclr scan path/to/{project_folder} --loud
Results:
The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.
Next steps:
After completing the scan, you can view the results.
Scan the dependency tree
The Veracode SCA agent can scan the output of the Gradle dependencies task. For dependency tree scanning, the agent requires you to specify the --stdin=gradle input option.
You must compile the project before scanning to enable vulnerable method analysis.
Dependency tree scanning disables scanning for all other package managers.
You can scan the dependency tree for Maven using either of these methods:
-
Redirect the output of the Gradle
dependenciestask directly to the Veracode SCA agent. For example, in Linux bash:./gradlew dependencies | srcclr scan --stdin=gradle -
Redirect the output of the Gradle
dependenciestask into a file and point the Veracode SCA agent to the file using thedependency_tree_filescan directive. For example, in Linux bash:./gradlew dependencies > tree.txt
SRCCLR_DEPENDENCY_TREE_FILE=tree.txt srcclr scan --stdin=gradle
For multi-project Gradle builds, you might need to prefix the dependencies task with a subproject name and a colon in the gradle or gradlew command. For example: my-subproject:dependencies.
If you want to specify the scope of dependencies included in the scan, you can use the --configuration option with the dependencies task for gradle or gradlew. The scope scan directive for the agent does not support dependency tree scanning for Gradle.
Fix example direct vulnerability
When your build.gradle configuration file specifically references a library, or you add the library to your project as a JAR file, Veracode SCA refers to the library as a direct dependency.
These example steps provide a fix for an Unauthorized Modification of Nodes vulnerability in Apache Kafka, version 0.9.0.1 in the example-java-gradle repository.
To complete this task:
-
Edit the
build.gradlefile in the root of the project, and edit thedependenciesscope to match this example:compile 'org.apache.kafka:kafka_2.11:0.10.2.1'
Fix example transitive vulnerability
To fix a transitive library for Gradle, override the transitive dependency by adding the appropriately versioned dependency as a direct library.
These steps provide a fix for a Timing Attack Via Comparison Function vulnerability in OrientDB Core, version 2.1.9 in the example-java-gradle repository.
To complete this task:
-
Edit the
build.gradlefile in the root of the project, and add this text in thedependenciesscope:compile ('com.orientechnologies:orientdb-core:2.1.11') {
force = true
}
Fix example vulnerable method
Veracode SCA supports vulnerable method analysis for the Gradle, Maven, and Ant package managers.
These example steps provide a fix for an Information Disclosure vulnerable method in the jBCrypt library in the example-java-gradle repository.
To complete this task:
-
In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
-
Select Agent-Based Scan.
-
Select your workspace.
-
Select Projects.
-
Select the srcclr/example-java-gradle project.
-
Select Information Disclosure Of Password Hashes Through Crypt_raw in the Vulnerabilities table. The Vulnerable Methods section shows that the
crypt_rawmethod is the vulnerable part of the library. -
To address the identified vulnerable method, do one of these tasks:
- Change your code to perform in the same manner without relying on this particular method.
- Follow the provided instructions to update the library to a safe version.