There is an excellent guide on how to setup dependency verification using Gradle in the link below:
https://docs.gradle.org/current/userguide/dependency_verification.html
In short, the initial setup is as simple as running the following bootstrap command:
./gradlew --write-verification-metadata pgp,sha256
However there are no steps provided for what to do after that, such as when you need to update a dependency.
Are you expected to run the bootstrap command again every time you update a dependency? This is insecure as by the gradle documentation, if something fails it will add an ignore list value:
"If, for some reason, verification fails during the generation, Gradle will automatically generate an ignored key entry but warn you that you must absolutely check what happens."
Or are you supposed to manually update the gradle/verification-metadata.xml
file, if so what are the steps to do that?
Looking forward to someone explaining the intended flow for updating dependencies when using Gradle dependency verification.
If you update a dependency, then the dependency verification will fail because of the updated dependency – as can be expected. You'll get a console log like the following (here for an added Gradle plugin or a changed plugin version):
A problem occurred configuring root project 'my-test'.
> Dependency verification failed for configuration ':classpath'
3 artifacts failed verification:
- de.undercouch.download.gradle.plugin-4.1.1.pom (de.undercouch.download:de.undercouch.download.gradle.plugin:4.1.1) from repository Gradle Central Plugin Repository
- gradle-download-task-4.1.1.jar (de.undercouch:gradle-download-task:4.1.1) from repository Gradle Central Plugin Repository
- gradle-download-task-4.1.1.pom (de.undercouch:gradle-download-task:4.1.1) from repository Gradle Central Plugin Repository
If the artifacts are trustworthy, you will need to update the gradle/verification-metadata.xml file by following the instructions at https://docs.gradle.org/7.1/userguide/dependency_verification.html#sec:troubleshooting-verification
Open this report for more details: file:///home/chriki/my-test/build/reports/dependency-verification/at-1625085802054/dependency-verification-report.html
If you then open the mentioned HTML report, you'll see a table like the following:
Module | Artifact | Problem(s) |
---|---|---|
de.undercouch.download:de.undercouch.download.gradle.plugin:4.1.1 | de.undercouch.download.gradle.plugin-4.1.1.pom | Checksums are missing from verification metadata |
… | … | … |
(The original table is nicer and has clickable columns which reveal more details.)
In addition, the HTML report contains the following “Troubleshooting” section:
Please review the errors reported above carefully. Click on the icons near to the error descriptions for information about how to fix a particular problem. It is recommended that you edit the verification file manually. However, if you are confident that those are false positives, Gradle can help you by generating the missing verification metadata. In this case, you can run with the following command-line:
gradle --write-verification-metadata sha256 help
In any case you must review the result of this operation.
So, yes, you can run the bootstrap command again after having updated a dependency. It will then update the verification-metadata.xml
file by adding the new/updated dependencies as trusted. Just as in the actual bootstrap phase, you must review the results – as also clearly stated by the HTML report. You can do this, for example, by committing the verification-metadata.xml
to your VCS before you run the bootstrap command. After having run the command, you then compare the VCS version with the locally updated version to make sure that only the upgraded dependencies (and maybe their transitive dependencies) were added but no other components.
BTW, the “Bootstrapping dependency verification” section of the Gradle docs also states that the bootstrap command can be used for updates (highlighting by me):
Bootstrapping can either be used to create a file from the beginning, or also to update an existing file with new information.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.