⚠️ This experiment is no longer being improved neither maintened. Thanks for your interestd!
Supply chain attacks are a reality and the JVM ecosystem is not safe.
There are several tools out there that help developers from JVM-based languages to protect against supply chain attacks - like Dependabot, Snyk, DependencyCheck - and others.
However, when talking particularly about Gradle projects things start to become a little more tricky, because (but not only) :
-
We are insterested not only in the dependencies that our project declares, but also in the transitive ones (actually, transitive dependencies are the main attack vector here);
-
Is quite common that Gradle projects - specially multi-module ones - manage dependencies either with Project extension API or with buildSrc. In these two cases, tools like Dependabot - which parses your Gradle files in order to figure out dependencies - get confused or eventually don't find the dependencies;
-
Gradle plugins for such type of tools eventually are available, but this means another plugin in your Gradle build;
-
OWASP DependencyCheck is quite trick to be used in Android projects.
gradle-bodyguard
was born to tackle these issues. Written in Python and running as a CLI tool, it is an experimental tool which requires no additional plugins in your project and exercises your Gradle build - regardless your project layout - and learns about the dependencies that Gradle already knows, even the transitive ones.
gradle-bodyguard
then matches these artifacts against OSS Index and outputs the results for you. In this way, you can learn (and automate around) when some dependency introduces a new disclosed CVE in your build, particularly at CI level.
Because OSSIndex is free to use, this tool was possible to be made. 😎
Install with pip. Requires Python 3.8.+ or newer.
→ pip install gradle-bodyguard
The most basic usage takes only a path to the target Gradle project you want to examine:
→ gradle-bodyguard -p <path-to-gradle-project>
You should see results in your terminal screen 🔥
You also can have a json
version of the security report. This file is only generated when the tool find potential vulnerabilities :
→ gradle-bodyguard -p <path-to-gradle-project> -d <path-to-folder>
The gradle-bodyguard-report.json
file will be stored at folder
If you realise that some CVEs actually don't impact your project at all, you can just ignore them and exclude such CVEs from the results
→ gradle-bodyguard -p <path-to-gradle-project> -i <CVE-ID>,<CVE-ID>,<CVE-ID>
See usage for a full list of options
→ gradle-bodyguard --help
As mentioned previously, gradle-bodyguard
is backed by the amazing OSS Index, offered by Sonatype. If you were not aware of this product until now, you should have a look.
One limitation that gradle-bodyguard
has is the following : this tool does not require your OSS Index API TOKEN
for authenticated REST API calls; bodyguard avoids that by batching the dependencies computed in the Gradle project and querying 125 Maven coordinates per HTTP request - since this option is available at all.
This should work fine for most of small/medium projects out there(up to 500 dependencies including the transitive ones), and therefore the usage of the tool is a bit simpler as well.
If your project consumes way more dependencies than aforementioned and you started to see 429s
in logs, you must then provide your API_TOKEN
→ gradle-bodyguard --project my-project --token my-ossindex-api-token
Do you want to learn how gradle-bodyguard
can help you to fight back against supply-chain attacks?
Please, checkout this experiment and bring me your feedback!
I'd like to thank in special :
- Python Poetry because it allowed a newcomer in the Python ecosystem to build and ship his first package on Pypi with an amazing developer experience
- Sonatype for providing OSSIndex (and its companion REST API) for free to the open-source community
Coded by Ubiratan Soares (follow me on Twitter)
The MIT License (MIT)
Copyright (c) 2020 Dotanuki Labs
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.