The Veracode Software Composition Analysis agent-based scanning Gradle plugin allows you to automate the scanning of your Gradle repositories. You can upload the results of plugin scans to the Veracode Platform.
If you do not have the latest version of the plugin, search
for SourceClear in the Gradle plugin portal and follow the onscreen
instructions.
- In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
- Click the Agent-Based Scan tab.
- Select a workspace.
- Click Agents > Actions > Create > Gradle.
- Click Create Agent & Generate Token.
-
Choose to either set your API token as an environment variable in the
environment where you will build your Gradle repository, or add the token
directly to the configuration within your build.gradle
file:
- Run the following command to set your environment variable:
export SRCCLR_API_TOKEN=<apiToken>
- Edit your build.gradle file and apply the following
changes:
//For Gradle 2.2.0 or higher ... plugins { id "com.srcclr.gradle" version "<Insert latest version>" } apply plugin: "srcclr" srcclr { apiToken = "<apiTokenHere>" //Only required if environment variable is not set }
//For Gradle before 2.2.0 //Add gradle plugin location buildscript { repositories { maven { url "https://plugins.gradle.org/m2/" } } } //Add 'classpath("com.srcclr:gradle:<insert version number>")' to your dependencies buildscript { ... dependencies { classpath "gradle.plugin.com.srcclr:gradle:<insert version number>" } } apply plugin: "srcclr" srcclr { apiToken = "<apiTokenHere>" //Only required if environment variable is not set }
Note: For multi-project Gradle builds, Veracode recommends you apply these changes only to the root build.gradle file to avoid potentially overriding scan results from the different projects. Do not apply the plugin in the allprojects or subprojects section of the build file.
- Run the following command to set your environment variable:
- Optionally, add additional configuration options.
-
Save the changes to the build.gradle file.
You can run the agent-based scanning plugin during your build by adding the srcclr argument to the gradlew command.
-
To perform dependency resolution and build class files (the minimum
requirements for vulnerable methods analysis), run this command:
./gradlew srcclr
-
For larger builds, you can run this command:
./gradlew clean build srcclr