dependency-check · mgroth0 · Sep 6, 2024 · Oct 18, 2024
diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy
@@ -64,6 +64,24 @@ abstract class AbstractAnalyze extends ConfiguredTask {
 
     @Internal
     String currentProjectName = project.getName()
+
+    @Internal
+    String currentProjectGroup = project.getGroup()
+
+    @Internal
+    String currentProjectVersion = project.getVersion().toString()
+
+
+
+    /**
+     * Gets the projects display name. Project.getDisplayName() has been
+     * introduced with Gradle 3.3, thus we need to check for the method's
+     * existence first. Fallback: use project NAME
+     * @return the display name
+     */
+    @Internal
+    String currentProjectDisplayName = project.metaClass.respondsTo(project, "getDisplayName") ? project.getDisplayName() : project.getName()
+
     @Internal
     Attribute artifactType = Attribute.of('artifactType', String)
     // @Internal
@@ -111,11 +129,11 @@ abstract class AbstractAnalyze extends ConfiguredTask {
 
             logger.lifecycle("Generating report for project ${currentProjectName}")
             try {
-                String name = project.getName()
-                String displayName = determineDisplayName()
-                String groupId = project.getGroup()
-                String version = project.getVersion().toString()
-                File output = project.file(config.outputDirectory)
+                String name = currentProjectName
+                String displayName = currentProjectDisplayName
+                String groupId = currentProjectGroup
+                String version = currentProjectVersion
+                File output = new File(config.outputDirectory)
                 for (String f : getReportFormats(config.format, config.formats)) {
                     engine.writeReports(displayName, groupId, name, version, output, f, exCol)
                 }
@@ -145,15 +163,6 @@ abstract class AbstractAnalyze extends ConfiguredTask {
         }
     }
 
-    /**
-     * Gets the projects display name. Project.getDisplayName() has been
-     * introduced with Gradle 3.3, thus we need to check for the method's
-     * existence first. Fallback: use project NAME
-     * @return the display name
-     */
-    String determineDisplayName() {
-        return project.metaClass.respondsTo(project, "getDisplayName") ? project.getDisplayName() : project.getName()
-    }
     /**
      * Verifies aspects of the configuration to ensure dependency-check can run correctly.
      */
@@ -218,6 +227,7 @@ abstract class AbstractAnalyze extends ConfiguredTask {
 
     /**
      * Loads the projects dependencies into the dependency-check analysis engine.
+     * Runs at execution time
      */
     abstract scanDependencies(Engine engine)
 
@@ -232,7 +242,7 @@ abstract class AbstractAnalyze extends ConfiguredTask {
 
         logger.warn("Found ${vulnerabilities.size()} vulnerabilities in project ${currentProjectName}")
         if (config.showSummary) {
-            DependencyCheckScanAgent.showSummary(project.name, engine.getDependencies());
+            DependencyCheckScanAgent.showSummary(currentProjectName, engine.getDependencies());
         }
     }
 
@@ -301,17 +311,17 @@ abstract class AbstractAnalyze extends ConfiguredTask {
      * project's path.
      */
     @groovy.transform.CompileStatic
-    def shouldBeScanned(Project project) {
-        !config.scanProjects || config.scanProjects.contains(project.path)
+    def shouldBeScanned(String projectPath) {
+        !config.scanProjects || config.scanProjects.contains(projectPath)
     }
 
     /**
      * Checks whether the given project should be skipped
      * because skipProjects contains the project's path.
      */
     @groovy.transform.CompileStatic
-    def shouldBeSkipped(Project project) {
-        config.skipProjects.contains(project.path)
+    def shouldBeSkipped(String projectPath) {
+        config.skipProjects.contains(projectPath)
     }
 
     /**
@@ -403,6 +413,7 @@ abstract class AbstractAnalyze extends ConfiguredTask {
 
     /**
      * Process the incoming artifacts for the given project's configurations.
+     * Runs at execution time.
      * @param project the project to analyze
      * @param engine the dependency-check engine
      */
@@ -415,7 +426,7 @@ abstract class AbstractAnalyze extends ConfiguredTask {
             if (CUTOVER_GRADLE_VERSION.compareTo(GradleVersion.current()) > 0) {
                 processConfigLegacy configuration, engine
             } else {
-                processConfigV4 project, configuration, engine, true
+                processConfigV4 currentProjectName, configuration, engine, true
             }
         }
     }
@@ -434,7 +445,7 @@ abstract class AbstractAnalyze extends ConfiguredTask {
             if (CUTOVER_GRADLE_VERSION.compareTo(GradleVersion.current()) > 0) {
                 processConfigLegacy configuration, engine
             } else {
-                processConfigV4 project, configuration, engine
+                processConfigV4 currentProjectName, configuration, engine
             }
         }
         if (config.scanSet == null) {
@@ -443,18 +454,18 @@ abstract class AbstractAnalyze extends ConfiguredTask {
                                    './npm-shrinkwrap.json', './yarn.lock',
                                    './pnpm.lock', 'pnpm-lock.yaml', './Gopkg.lock', './go.mod']
             toScan.each {
-                File f = project.file it
+                File f = new File(it)
                 if (f.exists()) {
-                    engine.scan(f, project.name)
+                    engine.scan(f, currentProjectName)
                 }
             }
         } else {
             config.scanSet.each {
-                File f = project.file it
+                File f = it
                 if (f.exists()) {
-                    engine.scan(f, project.name)
+                    engine.scan(f, currentProjectName)
                 } else {
-                    logger.warn("ScanSet file `${f}` does not exist in ${project.name}")
+                    logger.warn("ScanSet file `${f}` does not exist in ${currentProjectName}")
                 }
             }
         }
@@ -550,8 +561,7 @@ abstract class AbstractAnalyze extends ConfiguredTask {
      * @param engine the dependency-check engine
      * @param scanningBuildEnv true if scanning the build environment; otherwise false
      */
-    protected void processConfigV4(Project project, Configuration configuration, Engine engine, boolean scanningBuildEnv = false) {
-        String projectName = project.name
+    protected void processConfigV4(String projectName, Configuration configuration, Engine engine, boolean scanningBuildEnv = false) {
         String scope = "$projectName:$configuration.name"
         if (scanningBuildEnv) {
             scope += " (buildEnv)"

diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Aggregate.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Aggregate.groovy
@@ -39,6 +39,7 @@ class Aggregate extends AbstractAnalyze {
 
     /**
      * Loads the projects dependencies into the dependency-check analysis engine.
+     * Runs at execution time
      */
     def scanDependencies(Engine engine) {
         logger.lifecycle("Verifying dependencies for project ${currentProjectName}")
@@ -51,7 +52,7 @@ class Aggregate extends AbstractAnalyze {
 
     private def scanProject(Set<Project> projects, Engine engine) {
         projects.each { Project project ->
-            if (shouldBeScanned(project) && !shouldBeSkipped(project)) {
+            if (shouldBeScanned(project.path) && !shouldBeSkipped(project.path)) {
                 if (this.config.scanDependencies) {
                     processConfigurations(project, engine)
                 }

diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Analyze.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/Analyze.groovy
@@ -18,6 +18,7 @@
 
 package org.owasp.dependencycheck.gradle.tasks
 
+import org.gradle.api.tasks.Internal
 import org.owasp.dependencycheck.Engine
 
 /**
@@ -26,6 +27,9 @@ import org.owasp.dependencycheck.Engine
 @groovy.transform.CompileStatic
 class Analyze extends AbstractAnalyze {
 
+    @Internal
+    String currentProjectPath = project.path
+
     Analyze() {
         group = 'OWASP dependency-check'
         description = 'Identifies and reports known vulnerabilities (CVEs) in project dependencies.'
@@ -37,9 +41,10 @@ class Analyze extends AbstractAnalyze {
 
     /**
      * Loads the projects dependencies into the dependency-check analysis engine.
+     * Runs at execution time
      */
     def scanDependencies(Engine engine) {
-        if (shouldBeScanned(project) && !shouldBeSkipped(project)) {
+        if (shouldBeScanned(currentProjectPath) && !shouldBeSkipped(currentProjectPath)) {
             logger.lifecycle("Verifying dependencies for project ${currentProjectName}")
             if (this.config.scanDependencies) {
                 processConfigurations(project, engine)