Set Up the Agent-Based Scanning Gradle Plugin

Veracode Software Composition Analysis

The Veracode Software Composition Analysis agent-based scanning Gradle plugin allows you to automate the scanning of your Gradle repositories. You can upload the results of plugin scans to the Veracode Platform.

If you do not have the latest version of the plugin, search for SourceClear in the Gradle plugin portal and follow the onscreen instructions.
  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
  2. Click the Agent-Based Scan tab.
  3. Select a workspace.
  4. Click Agents > Actions > Create > Gradle.
  5. Click Create Agent & Generate Token.
  6. Choose to either set your API token as an environment variable in the environment where you will build your Gradle repository, or add the token directly to the configuration within your build.gradle file:
    • Run the following command to set your environment variable:
      export SRCCLR_API_TOKEN=<apiToken>
    • Edit your build.gradle file and apply the following changes:
                  //For Gradle 2.2.0 or higher
                                  ...
      
                                  plugins {
                                  id "com.srcclr.gradle" version "<Insert latest version>"
                                  }
      
                                  apply plugin: "srcclr"
      
                                  srcclr {
                                  apiToken = "<apiTokenHere>" //Only required if environment variable is not set
                                  }
                              
                  //For Gradle before 2.2.0
                                  //Add gradle plugin location
                                  buildscript {
                                  repositories {
                                  maven {
                                  url "https://plugins.gradle.org/m2/"
                                  }
                                  }
                                  }
                                  //Add 'classpath("com.srcclr:gradle:<insert version number>")'  to your dependencies
      
                                  buildscript {
                                  ...
                                  dependencies {
                                  classpath "gradle.plugin.com.srcclr:gradle:<insert version number>"
                                  }
                                  }
      
                                  apply plugin: "srcclr"
      
                                  srcclr {
                                  apiToken = "<apiTokenHere>" //Only required if environment variable is not set
                                  }
                                      
      Note: For multi-project Gradle builds, Veracode recommends you apply these changes only to the root build.gradle file to avoid potentially overriding scan results from the different projects. Do not apply the plugin in the allprojects or subprojects section of the build file.
  7. Optionally, add additional configuration options.
  8. Save the changes to the build.gradle file.
    You can run the agent-based scanning plugin during your build by adding the srcclr argument to the gradlew command.
  9. To perform dependency resolution and build class files (the minimum requirements for vulnerable methods analysis), run this command:
    ./gradlew srcclr
  10. For larger builds, you can run this command:
    ./gradlew clean build srcclr