From 4e3ee4b1b59a95bb4c211d4d1aced20699ccb9c4 Mon Sep 17 00:00:00 2001 From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com> Date: Thu, 5 Mar 2026 13:18:53 +0800 Subject: [PATCH 1/3] docs: document OSS Index URL override consistently Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com> --- ant/src/site/markdown/configuration.md | 3 ++- cli/src/site/markdown/arguments.md | 2 +- maven/src/site/markdown/configuration.md | 2 +- .../dependency-check-gradle/configuration-aggregate.md | 1 + src/site/markdown/dependency-check-gradle/configuration.md | 1 + 5 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ant/src/site/markdown/configuration.md b/ant/src/site/markdown/configuration.md index 2eeb1a5b566..152ecaa95f7 100644 --- a/ant/src/site/markdown/configuration.md +++ b/ant/src/site/markdown/configuration.md @@ -84,8 +84,9 @@ be needed. | dartAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Dart Analyzer will be used. | true | | knownExploitedEnabled | Sets whether the Known Exploited Vulnerability update and analyzer are enabled. | true | | knownExploitedUrl | Sets URL to the CISA Known Exploited Vulnerabilities JSON data feed. | https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json | -| ossIndexAnalyzerEnabled | Sets whether the [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be enabled. This analyzer requires an internet connection. | true | +| ossindexAnalyzerEnabled | Sets whether the [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be enabled. This analyzer requires an internet connection. | true | | ossindexAnalyzerUseCache | Sets whether the OSS Index Analyzer will cache results. Cached results expire after 24 hours. | true | +| ossindexAnalyzerUrl | Alternative URL for the OSS Index. If not set the public Sonatype OSS Index will be used. | https://ossindex.sonatype.org | | ossindexAnalyzerUsername | Sets the username for OSS Index - note an account with OSS Index is not required. |   | | ossindexAnalyzerPassword | Sets the password for OSS Index. |   | | ossIndexAnalyzerWarnOnlyOnRemoteErrors | Whether we should only warn about Sonatype OSS Index remote errors instead of failing completely. |   | diff --git a/cli/src/site/markdown/arguments.md b/cli/src/site/markdown/arguments.md index e0bbff29b92..bff0bf1ff72 100644 --- a/cli/src/site/markdown/arguments.md +++ b/cli/src/site/markdown/arguments.md @@ -84,10 +84,10 @@ Advanced Options | | \-\-disableDart | | Sets whether the [experimental](../analyzers/index.html) Dart Analyzer will be disabled. |   | | | \-\-disableOssIndex | | Sets whether the [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be disabled. This analyzer requires an internet connection. |   | | | \-\-disableOssIndexCache | | When the argument is present the OSS Index Analyzer will not cache results. By default results are cached for 24 hours. |   | +| | \-\-ossIndexUrl | \ | Alternative URL for the OSS Index. If not set the public Sonatype OSS Index will be used. | https://ossindex.sonatype.org | | | \-\-ossIndexUsername | \ | To authenticate Sonatype OSS Index requests and profit from higher rate limits, provide the OSS account email address as username. Provide both a username _and_ a password (see below) or none. |   | | | \-\-ossIndexPassword | \ | Password or API token to connect to Sonatype's OSS Index. Provide both a username (see above) _and_ a password or none. |   | | | \-\-ossIndexRemoteErrorWarnOnly | \ | Whether we should only warn about Sonatype OSS Index remote errors instead of failing completely. |   | -| | \-\-ossIndexUrl | \ | Alternative URL for the OSS Index. If not set the public Sonatype OSS Index will be used. | https://ossindex.sonatype.org | | | \-\-disableCentral | | Sets whether the Central Analyzer will be used to enrich Java dependencies. **Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled, you can use the Artifactory Analyzer or Nexus Analyzer as a replacement. |   | | | \-\-disableCentralCache | | When the argument is present the Central Analyzer will not cache results locally. By default results are cached locally for 30 days. |   | | | \-\-centralUrl | | Alternative URL for Maven Central Search. If not set the public Sonatype Maven Central will be used. | https://search.maven.org/solrsearch/select | diff --git a/maven/src/site/markdown/configuration.md b/maven/src/site/markdown/configuration.md index c1cb891ca58..1a1439cc5a5 100644 --- a/maven/src/site/markdown/configuration.md +++ b/maven/src/site/markdown/configuration.md @@ -63,10 +63,10 @@ be needed. | knownExploitedUrl | Sets URL to the CISA Known Exploited Vulnerabilities JSON data feed. | https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json | | ossindexAnalyzerEnabled | Sets whether the [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be enabled. This analyzer requires an internet connection. | true | | ossindexAnalyzerUseCache | Sets whether the OSS Index Analyzer will cache results. Cached results expire after 24 hours. | true | +| ossindexAnalyzerUrl | Alternative URL for the OSS Index. If not set the public Sonatype OSS Index will be used. | https://ossindex.sonatype.org | | ossIndexServerId | The id of [a server](https://maven.apache.org/settings.html#Servers) defined in the `settings.xml` to authenticate Sonatype OSS Index requests and profit from higher rate limits. Provide the OSS account email address as `username` and password or API token as `password`. |   | | ossIndexUsername | OSS account email address as an alternative to the indirection through the `ossIndexServerId` (see above). Both `ossIndexUsername` and `ossIndexPassword` must be set to use this approach instead of the server ID. |   | | ossIndexPassword | OSS password or API token as an alternative to the indirection through the `ossIndexServerId` (see above). Both `ossIndexUsername` and `ossIndexPassword` must be set to use this approach instead of the server ID. |   | -| ossindexAnalyzerUrl | The OSS Index server URL | https://ossindex.sonatype.org | | ossIndexWarnOnlyOnRemoteErrors | Sets whether remote errors from the OSS Index (e.g. BAD GATEWAY, RATE LIMIT EXCEEDED) will result in warnings only instead of failing execution. | false | | nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used. This analyzer is an alternative to the Central or Artifactory Analyzers, allowing retrieval from Sonatype Nexus installations. | true | | nexusUrl | Defines the Nexus Server's web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled. |   | diff --git a/src/site/markdown/dependency-check-gradle/configuration-aggregate.md b/src/site/markdown/dependency-check-gradle/configuration-aggregate.md index c820b124a58..9199a69d07a 100644 --- a/src/site/markdown/dependency-check-gradle/configuration-aggregate.md +++ b/src/site/markdown/dependency-check-gradle/configuration-aggregate.md @@ -184,6 +184,7 @@ analyzers is likely not needed. | retirejs | filterNonVulnerable | Configures the RetireJS Analyzer to remove non-vulnerable JS dependencies from the report. | false | | retirejs | filters | Configures the list of regular expressions used to filter JS files based on content. |   | | ossIndex | enabled | Sets whether [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be used. This analyzer requires an internet connection. | true | +| ossIndex | url | Alternative URL for the OSS Index. If not set the public Sonatype OSS Index will be used. | https://ossindex.sonatype.org | | ossIndex | username | To authenticate Sonatype OSS Index requests and profit from higher rate limits, provide the OSS account email address as username. Provide both a username _and_ a password (see below) or none. |   | | ossIndex | password | Password or API token to connect to Sonatype's OSS Index. Provide both a username (see above) _and_ a password or none. |   | | ossIndex | warnOnlyOnRemoteErrors | Sets whether remote errors from the OSS Index (e.g. BAD GATEWAY, RATE LIMIT EXCEEDED) will result in warnings only instead of failing execution. | false | diff --git a/src/site/markdown/dependency-check-gradle/configuration.md b/src/site/markdown/dependency-check-gradle/configuration.md index f9cbbb96483..aeeb9e08aa1 100644 --- a/src/site/markdown/dependency-check-gradle/configuration.md +++ b/src/site/markdown/dependency-check-gradle/configuration.md @@ -182,6 +182,7 @@ analyzers is likely not needed. | retirejs | filterNonVulnerable | Configures the RetireJS Analyzer to remove non-vulnerable JS dependencies from the report. | false | | retirejs | filters | Configures the list of regular expressions used to filter JS files based on content. |   | | ossIndex | enabled | Sets whether [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be used. This analyzer requires an internet connection. | true | +| ossIndex | url | Alternative URL for the OSS Index. If not set the public Sonatype OSS Index will be used. | https://ossindex.sonatype.org | | ossIndex | username | To authenticate Sonatype OSS Index requests and profit from higher rate limits, provide the OSS account email address as username. Provide both a username _and_ a password (see below) or none. |   | | ossIndex | password | Password or API token to connect to Sonatype's OSS Index. Provide both a username (see above) _and_ a password or none. |   | | ossIndex | warnOnlyOnRemoteErrors | Sets whether remote errors from the OSS Index (e.g. BAD GATEWAY, RATE LIMIT EXCEEDED) will result in warnings only instead of failing execution. | false | From 5e349b0c3edfeb1eeaa748c300d51ae505471bda Mon Sep 17 00:00:00 2001 From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com> Date: Thu, 5 Mar 2026 13:23:21 +0800 Subject: [PATCH 2/3] docs: tidy Gradle documentation across tasks for consistency/diffability These docs are all duplicated - it makes it easier to keep them in sync if they have minimal different options. - remove incorrect `retiredEnabled` option - change formatting to be consistent Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com> --- .../configuration-aggregate.md | 79 ++++++++++--------- .../configuration-purge.md | 6 +- .../configuration-update.md | 39 +++++---- .../dependency-check-gradle/configuration.md | 8 +- 4 files changed, 69 insertions(+), 63 deletions(-) diff --git a/src/site/markdown/dependency-check-gradle/configuration-aggregate.md b/src/site/markdown/dependency-check-gradle/configuration-aggregate.md index 9199a69d07a..53f064e0db1 100644 --- a/src/site/markdown/dependency-check-gradle/configuration-aggregate.md +++ b/src/site/markdown/dependency-check-gradle/configuration-aggregate.md @@ -32,7 +32,7 @@ check.dependsOn dependencyCheckAggregate | format | The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL). | HTML | | formats | A list of report formats to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL). |   | | junitFailOnCVSS | If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure. | 0 | -| failBuildOnCVSS | Specifies if the build should be failed if a CVSS score equal to or above a specified level is identified. The default is 11; since the CVSS scores are 0-10, by default the build will never fail. More information on CVSS scores can be found at the [NVD](https://nvd.nist.gov/vuln-metrics/cvss) | 11 | +| failBuildOnCVSS | Specifies if the build should be failed if a CVSS score equal to or above a specified level is identified. The default is 11; since the CVSS scores are 0-10, by default the build will never fail. More information on CVSS scores can be found at the [NVD](https://nvd.nist.gov/vuln-metrics/cvss) | 11 | | failOnError | Fails the build if an error occurs during the dependency-check analysis. | true | | outputDirectory | The location to write the report(s). This directory will be located in the build directory. | ${buildDir}/reports | | skipTestGroups | When set to true (the default) all dependency groups that being with 'test' will be skipped. | true | @@ -112,43 +112,44 @@ analyzers by configuring the `analyzers` section. Note, specific file type analy disable themselves if no file types that they support are detected - so specifically disabling the analyzers is likely not needed. -| Config Group | Property | Description | Default Value | -|--------------|-----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------| -| analyzers | experimentalEnabled | Sets whether the [experimental analyzers](../analyzers/index.html) will be used. If not set to true the analyzers marked as experimental (see below) will not be used | false | -| analyzers | archiveEnabled | Sets whether the Archive Analyzer will be used. | true | -| analyzers | zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. |   | -| analyzers | jarEnabled | Sets whether Jar Analyzer will be used. | true | -| analyzers | dartEnabled | Sets whether the [experimental](../analyzers/index.html) Dart Analyzer will be used. `experimentalEnabled` must be set to true. | true | +| Config Group | Property | Description | Default Value | +|--------------|-----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------| +| analyzers | experimentalEnabled | Sets whether the [experimental analyzers](../analyzers/index.html) will be used. If not set to true the analyzers marked as experimental (see below) will not be used | false | +| analyzers | archiveEnabled | Sets whether the Archive Analyzer will be used. | true | +| analyzers | zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. |   | +| analyzers | jarEnabled | Sets whether Jar Analyzer will be used. | true | +| analyzers | dartEnabled | Sets whether the [experimental](../analyzers/index.html) Dart Analyzer will be used. `experimentalEnabled` must be set to true. | true | | analyzers | centralEnabled | Sets whether Central Analyzer will be used. If you have non-Gradle-managed jar dependencies inside archives or non-Java ecosystem dependencies, you may want to enable this analyzer (or the alternative Nexus/Artifactory analyzers) to reduce chance of false negatives. | false | -| analyzers | nexusEnabled | Sets whether Nexus Analyzer will be used. This analyzer is an alternative to the Central or Artifactory Analyzers, allowing metadata retrieval from Sonatype Nexus installations. | false | -| analyzers | nexusUrl | Defines the Nexus Server's web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled. |   | -| analyzers | nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | true | -| analyzers | pyDistributionEnabled | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used. `experimentalEnabled` must be set to true. | true | -| analyzers | pyPackageEnabled | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used. `experimentalEnabled` must be set to true. | true | -| analyzers | rubygemsEnabled | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. `experimentalEnabled` must be set to true. | true | -| analyzers | opensslEnabled | Sets whether the openssl Analyzer should be used. | true | -| analyzers | nuspecEnabled | Sets whether the .NET Nuget Nuspec Analyzer will be used. | true | -| analyzers | nugetconfEnabled | Sets whether the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used. `experimentalEnabled` must be set to true. | true | -| analyzers | assemblyEnabled | Sets whether the .NET Assembly Analyzer should be used. | true | -| analyzers | msbuildEnabled | Sets whether the MS Build Analyzer should be used. | true | -| analyzers | pathToDotnet | The path to dotnet core - needed on some systems to analyze .net assemblies. |   | -| analyzers | cmakeEnabled | Sets whether the [experimental](../analyzers/index.html) CMake Analyzer should be used. `experimentalEnabled` must be set to true. | true | -| analyzers | autoconfEnabled | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used. `experimentalEnabled` must be set to true. | true | -| analyzers | composerEnabled | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. `experimentalEnabled` must be set to true. | true | -| analyzers | composerSkipDev | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should skip "packages-dev". | false | -| analyzers | cpanEnabled | Sets whether the [experimental](../analyzers/index.html) Perl CPAN File Analyzer should be used. `experimentalEnabled` must be set to true. | true | -| analyzers | cocoapodsEnabled | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. `experimentalEnabled` must be set to true. | true | -| analyzers | carthageEnabled | Sets whether the [experimental](../analyzers/index.html) Carthage Analyzer should be used. `experimentalEnabled` must be set to true. | true | -| analyzers | swiftEnabled | Sets whether the [experimental](../analyzers/index.html) Swift Package Manager Analyzer should be used. `experimentalEnabled` must be set to true. | true | -| analyzers | swiftPackageResolvedEnabled | Sets whether the [experimental](../analyzers/index.html) Swift Package Resolved Analyzer should be used. `experimentalEnabled` must be set to true. | true | -| analyzers | bundleAuditEnabled | Sets whether the Ruby Bundle Audit Analyzer should be used. | true | -| analyzers | pathToBundleAudit | The path to bundle audit. |   | -| analyzers | retiredEnabled | Sets whether the [retired analyzers](../analyzers/index.html) will be used. If not set to true the analyzers marked as Retired will not be used | false | -| analyzers | golangDepEnabled | Sets whether the [experimental](../analyzers/index.html) Golang Dependency Analyzer should be used. `experimentalEnabled` must be set to true. | true | -| analyzers | golangModEnabled | Sets whether the [experimental](../analyzers/index.html) Goland Module Analyzer should be used; requires `go` to be installed. `experimentalEnabled` must be set to true. | true | -| analyzers | pathToGo | The path to `go`. |   | - -#### Additional Configuration +| analyzers | nexusEnabled | Sets whether Nexus Analyzer will be used. This analyzer is an alternative to the Central or Artifactory Analyzers, allowing metadata retrieval from Sonatype Nexus installations. | false | +| analyzers | nexusUrl | Defines the Nexus Server's web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled. |   | +| analyzers | nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | true | +| analyzers | pyDistributionEnabled | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used. `experimentalEnabled` must be set to true. | true | +| analyzers | pyPackageEnabled | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used. `experimentalEnabled` must be set to true. | true | +| analyzers | rubygemsEnabled | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. `experimentalEnabled` must be set to true. | true | +| analyzers | opensslEnabled | Sets whether the openssl Analyzer should be used. | true | +| analyzers | nuspecEnabled | Sets whether the .NET Nuget Nuspec Analyzer will be used. | true | +| analyzers | nugetconfEnabled | Sets whether the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used. `experimentalEnabled` must be set to true. | true | +| analyzers | assemblyEnabled | Sets whether the .NET Assembly Analyzer should be used. | true | +| analyzers | msbuildEnabled | Sets whether the MS Build Analyzer should be used. | true | +| analyzers | pathToDotnet | The path to dotnet core - needed on some systems to analyze .net assemblies. |   | +| analyzers | cmakeEnabled | Sets whether the [experimental](../analyzers/index.html) CMake Analyzer should be used. `experimentalEnabled` must be set to true. | true | +| analyzers | autoconfEnabled | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used. `experimentalEnabled` must be set to true. | true | +| analyzers | composerEnabled | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. `experimentalEnabled` must be set to true. | true | +| analyzers | composerSkipDev | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should skip "packages-dev". | false | +| analyzers | cpanEnabled | Sets whether the [experimental](../analyzers/index.html) Perl CPAN File Analyzer should be used. `experimentalEnabled` must be set to true. | true | +| analyzers | cocoapodsEnabled | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. `experimentalEnabled` must be set to true. | true | +| analyzers | carthageEnabled | Sets whether the [experimental](../analyzers/index.html) Carthage Analyzer should be used. `experimentalEnabled` must be set to true. | true | +| analyzers | swiftEnabled | Sets whether the [experimental](../analyzers/index.html) Swift Package Manager Analyzer should be used. `experimentalEnabled` must be set to true. | true | +| analyzers | swiftPackageResolvedEnabled | Sets whether the [experimental](../analyzers/index.html) Swift Package Resolved Analyzer should be used. `experimentalEnabled` must be set to true. | true | +| analyzers | bundleAuditEnabled | Sets whether the Ruby Bundle Audit Analyzer should be used. | true | +| analyzers | pathToBundleAudit | The path to bundle audit. |   | +| analyzers | golangDepEnabled | Sets whether the [experimental](../analyzers/index.html) Golang Dependency Analyzer should be used. `experimentalEnabled` must be set to true. | true | +| analyzers | golangModEnabled | Sets whether the [experimental](../analyzers/index.html) Goland Module Analyzer should be used; requires `go` to be installed. `experimentalEnabled` must be set to true. | true | +| analyzers | pathToGo | The path to `go`. |   | + +#### Analyzers Additional Configuration + +Within the `analyzers` group, the following sub-groups are configurable. | Config Group | Property | Description | Default Value | |--------------|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------| @@ -182,7 +183,7 @@ analyzers is likely not needed. | retirejs | password | Credentials used for basic authentication for the Retire JS repository URL. |   | | retirejs | bearerToken | Credentials used for bearer authentication for the Retire JS repository URL. |   | | retirejs | filterNonVulnerable | Configures the RetireJS Analyzer to remove non-vulnerable JS dependencies from the report. | false | -| retirejs | filters | Configures the list of regular expressions used to filter JS files based on content. |   | +| retirejs | filters | Configures the list of regular expressions used to filter JS files based on content. |   | | ossIndex | enabled | Sets whether [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be used. This analyzer requires an internet connection. | true | | ossIndex | url | Alternative URL for the OSS Index. If not set the public Sonatype OSS Index will be used. | https://ossindex.sonatype.org | | ossIndex | username | To authenticate Sonatype OSS Index requests and profit from higher rate limits, provide the OSS account email address as username. Provide both a username _and_ a password (see below) or none. |   | @@ -194,8 +195,10 @@ analyzers is likely not needed. ```groovy dependencyCheck { analyzers.assemblyEnabled = false + analyzers.artifactory.enabled = true analyzers.artifactory.url = 'https://internal.artifactory.url' + analyzers.retirejs.filters = ['(i)copyright Jeremy Long'] analyzers.ossIndex.username = 'example@gmail.com' diff --git a/src/site/markdown/dependency-check-gradle/configuration-purge.md b/src/site/markdown/dependency-check-gradle/configuration-purge.md index 36ca804342b..85f5c652b81 100644 --- a/src/site/markdown/dependency-check-gradle/configuration-purge.md +++ b/src/site/markdown/dependency-check-gradle/configuration-purge.md @@ -32,9 +32,10 @@ $ gradle dependencyCheckPurge | failOnError | Fails the build if an error occurs during the dependency-check analysis. | true | #### Example + ```groovy dependencyCheck { - failOnError=true + failOnError = true } ``` @@ -47,8 +48,9 @@ The following properties can be configured in the dependencyCheckPurge task. How | data | directory | Sets the data directory to hold SQL CVEs contents. This should generally not be changed. |   | #### Example + ```groovy dependencyCheck { - data.directory='d:/nvd' + data.directory = 'd:/nvd' } ``` diff --git a/src/site/markdown/dependency-check-gradle/configuration-update.md b/src/site/markdown/dependency-check-gradle/configuration-update.md index 9747efd57ed..5d8ff0126b3 100644 --- a/src/site/markdown/dependency-check-gradle/configuration-update.md +++ b/src/site/markdown/dependency-check-gradle/configuration-update.md @@ -32,27 +32,13 @@ check.dependsOn dependencyCheckUpdate #### Example ```groovy dependencyCheck { - failOnError=true + failOnError = true } ``` ### Proxy Configuration -| Config Group | Property | Description | Default Value | -|--------------|---------------|------------------------------------------------------------------------------------------------|---------------| -| proxy | server | The proxy server; see the [proxy configuration](../data/proxy.html) page for more information. |   | -| proxy | port | The proxy port. |   | -| proxy | username | Defines the proxy user name. |   | -| proxy | password | Defines the proxy password. |   | -| proxy | nonProxyHosts | The list of hosts that do not use a proxy. |   | - -#### Example -```groovy -dependencyCheck { - proxy.server=some.proxy.server - proxy.port=8989 -} -``` +Please see https://docs.gradle.org/current/userguide/build_environment.html#sec:accessing_the_web_via_a_proxy ### Advanced Configuration @@ -85,18 +71,21 @@ The following properties can be configured in the dependencyCheck task. However, | hostedSuppressions | validForHours | The number of hours to wait before checking for new updates of the hosted suppressions file . | 2 | #### Example + ```groovy dependencyCheck { - data.directory='d:/nvd' + data.directory = 'd:/nvd' } ``` -### Analyzer Configuration +### Analyzer Additional Configuration Cached web datasources for several analyzers are configured inside the `analyzers` section with some properties -taking relevance also in the update task. In addition to the above, the updateTask can be customized for retrieval +as the update task. In addition to the above, the update task can be customized for retrieval of these resources by the following analyzer-specific properties underneath the `analyzers` section. +The subset of `analyzers` properties relevant to the update task are: + | Config Group | Property | Description | Default Value | |--------------|---------------|---------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------| | kev | enabled | Sets whether the Known Exploited Vulnerability update and analyzer are enabled. | true | @@ -105,9 +94,17 @@ of these resources by the following analyzer-specific properties underneath the | kev | password | Credentials used for basic authentication for the CISA Known Exploited Vulnerabilities JSON data feed. |   | | kev | bearerToken | Credentials used for bearer authentication for the CISA Known Exploited Vulnerabilities JSON data feed. |   | | kev | validForHours | The number of hours to wait before checking for new updates of the hosted suppressions file . | 2 | -| retirejs | enabled | Sets whether the RetireJS Analyzer should be used / the repository be updated. | true | +| retirejs | enabled | Sets whether the RetireJS Analyzer should be used. | true | +| retirejs | forceupdate | Sets whether the RetireJS Analyzer should update regardless of the `autoupdate` setting. | false | | retirejs | retireJsUrl | The URL to the Retire JS repository. | https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json | | retirejs | user | Credentials used for basic authentication for the Retire JS repository URL. |   | | retirejs | password | Credentials used for basic authentication for the Retire JS repository URL. |   | | retirejs | bearerToken | Credentials used for bearer authentication for the Retire JS repository URL. |   | -| retirejs | forceupdate | Sets whether the Retire JS repository should update regardless of the `autoupdate` setting. | false | + +#### Example + +```groovy +dependencyCheck { + analyzers.retirejs.enabled = false +} +``` diff --git a/src/site/markdown/dependency-check-gradle/configuration.md b/src/site/markdown/dependency-check-gradle/configuration.md index aeeb9e08aa1..698c45a00d6 100644 --- a/src/site/markdown/dependency-check-gradle/configuration.md +++ b/src/site/markdown/dependency-check-gradle/configuration.md @@ -50,6 +50,7 @@ check.dependsOn dependencyCheckAnalyze | scanSet | A list of directories that will be scanned for additional dependencies. | ['src/main/resources','src/main/webapp', './package.json', './package-lock.json', './npm-shrinkwrap.json', './Gopkg.lock', './go.mod'] | #### Example + ```groovy dependencyCheck { autoUpdate = false @@ -97,6 +98,7 @@ The following properties can be configured in the dependencyCheck task. However, | hostedSuppressions | validForHours | The number of hours to wait before checking for new updates of the hosted suppressions file . | 2 | #### Example + ```groovy dependencyCheck { data.directory = 'd:/nvd' @@ -141,12 +143,13 @@ analyzers is likely not needed. | analyzers | swiftPackageResolvedEnabled | Sets whether the [experimental](../analyzers/index.html) Swift Package Resolved Analyzer should be used. `experimentalEnabled` must be set to true. | true | | analyzers | bundleAuditEnabled | Sets whether the Ruby Bundle Audit Analyzer should be used. | true | | analyzers | pathToBundleAudit | The path to bundle audit. |   | -| analyzers | retiredEnabled | Sets whether the [retired analyzers](../analyzers/index.html) will be used. If not set to true the analyzers marked as Retired will not be used | false | | analyzers | golangDepEnabled | Sets whether the [experimental](../analyzers/index.html) Golang Dependency Analyzer should be used. `experimentalEnabled` must be set to true. | true | | analyzers | golangModEnabled | Sets whether the [experimental](../analyzers/index.html) Goland Module Analyzer should be used; requires `go` to be installed. `experimentalEnabled` must be set to true. | true | | analyzers | pathToGo | The path to `go`. |   | -#### Additional Configuration +#### Analyzers Additional Configuration + +Within the `analyzers` group, the following sub-groups are configurable. | Config Group | Property | Description | Default Value | |--------------|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------| @@ -188,6 +191,7 @@ analyzers is likely not needed. | ossIndex | warnOnlyOnRemoteErrors | Sets whether remote errors from the OSS Index (e.g. BAD GATEWAY, RATE LIMIT EXCEEDED) will result in warnings only instead of failing execution. | false | #### Example + ```groovy dependencyCheck { analyzers.assemblyEnabled = false From 64eb4531eff13c2720c889ff57b6a859d5e1ee47 Mon Sep 17 00:00:00 2001 From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com> Date: Thu, 5 Mar 2026 16:03:52 +0800 Subject: [PATCH 3/3] build: correct ignore paths - we generally want to run builds for markdown changes now; as we run `mvn site`. - we also generally want to run for .txt changes as some are test files and other are licenses/notices included in built jars Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com> --- .../{pull_requests.yml => build-pull-requests.yml} | 7 ++++--- .github/workflows/{release.yml => build-release.yml} | 0 .github/workflows/build.yml | 5 +++-- 3 files changed, 7 insertions(+), 5 deletions(-) rename .github/workflows/{pull_requests.yml => build-pull-requests.yml} (97%) rename .github/workflows/{release.yml => build-release.yml} (100%) diff --git a/.github/workflows/pull_requests.yml b/.github/workflows/build-pull-requests.yml similarity index 97% rename from .github/workflows/pull_requests.yml rename to .github/workflows/build-pull-requests.yml index 9a3147df19c..de54e7a8ab7 100644 --- a/.github/workflows/pull_requests.yml +++ b/.github/workflows/build-pull-requests.yml @@ -1,10 +1,11 @@ -name: Pull Requests +name: Build Pull Request on: pull_request: paths-ignore: - - '**/*.md' - - '**/*.txt' + - '*.md' # Ignore only in root; we generally want to run build for `site/` changes + - '**/README.md' # Ignore all READMEs + - '.github/**/*.md' # Ignore github config permissions: {} diff --git a/.github/workflows/release.yml b/.github/workflows/build-release.yml similarity index 100% rename from .github/workflows/release.yml rename to .github/workflows/build-release.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2148aa22670..48536d841f8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,8 +5,9 @@ on: branches: - main paths-ignore: - - '**/*.md' - - '**/*.txt' + - '*.md' # Ignore only in root; we generally want to run build for `site/` changes + - '**/README.md' # Ignore all READMEs + - '.github/**/*.md' # Ignore github config permissions: {}