Everyone knows it’s important to keep dependencies up to date. The risks of not updating them are very often high: you risk losing your data or data of your customers, being part of a botnet or simply getting hacked by script kiddies replacing your frontpage with something shameful.
Not everyone knows how easy it is to keep your dependencies up to date with gradle. Both gradle and maven have plugins to check for updates in your list of dependencies.
This post quickly shows how to use one of them in gradle and check if your dependencies have reported vulnerabilities.
Check dependencies for updates
First gradle plugin you want to check out is gradle-versions-plugin. It’s used only to find updates. Installation and usage is very simple. Just add this block to your build.gradle file
plugins { id 'com.github.ben-manes.versions' version '0.14.0' } |
Now, when you run:
./gradlew dependencyUpdates |
You will get a list of available updates:
Check dependencies for vulnerabilities
The second plugin you should use is dependency-check. It checks if current versions of dependencies you use were reported with a vulnerability to NVD.
Installation is again, really simple, just modify your build.gradle to include the following:
plugins { id 'org.owasp:dependency-check-gradle' version '1.4.5' } apply plugin: 'org.owasp.dependencycheck' |
and when ready, run:
./gradlew dependencyCheck |
Unfortunately, this process is time consuming, the more dependencies you have, the longer break you can take now.
Be safe out there!