Gradle – up-to-date and secure dependencies

Everyone knows it’s important to keep dependencies up to date. The risks of not updating them are very often high: you risk losing your data or data of your customers, being part of a botnet or simply getting hacked by script kiddies replacing your frontpage with something shameful.
Not everyone knows how easy it is to keep your dependencies up to date with gradle. Both gradle and maven have plugins to check for updates in your list of dependencies.

This post quickly shows how to use one of them in gradle and check if your dependencies have reported vulnerabilities.

First gradle plugin you want to check out is gradle-versions-plugin. It’s used only to find updates. Installation and usage is very simple. Just add this block to your build.gradle file

plugins {
    id 'com.github.ben-manes.versions' version '0.14.0'
}

Now, when you run:

./gradlew dependencyUpdates

You will get a list of available updates:

The second plugin you should use is dependency-check. It checks if current versions of dependencies you use were reported with a vulnerability to NVD.
Installation is again, really simple, just modify your build.gradle to include the following:

buildscript {
  repositories {
     mavenCentral()
  }
  dependencies {
     classpath 'org.owasp:dependency-check-gradle:1.4.5'
  }
}
 
apply plugin: 'org.owasp.dependencycheck'

and when ready, run:

./gradlew dependencyCheck

Unfortunately, this process is time consuming, the more dependencies you have, the longer break you can take now.

Be safe out there!