Java & Kotlin - Gradle and Maven

We support a couple of ways of tracking Java/Kotlin dependencies, both Gradle and Maven. There are two ways of using Debricked:

1. We either require access to your source code, as well as your dependencies file, due to the way Gradle and Maven work or
2. You may use the source-codeless feature, see below.

As long as you have one or more build.gradle/build.gradle.kts (Gradle) or pom.xml (Maven) in your repository we will automatically scan it/them for dependencies when you have done any of our integrations to your CI/CD pipeline.

We also support Java projects using Bazel, see here for more information.

Source-codeless scans

New

This is a new feature!

Debricked supports scanning Maven and Gradle projects without access to the source code. This is done by introducing an extra step in your CI/build pipeline. Next, we will show how to use this feature in GitHub and GitLab for both Maven and Gradle.

Gradle - GitHub

For the GitHub integration you need to set up a GitHub action. An example of a setup for Gradle is found here (opens new window).

Add the secrets DEBRICKED_USERNAME and DEBRICKED_PASSWORD, and do not forget to mask the password so that it does not show up in the logs. Next, add an action. When the pipeline has completed, you should see the following

Gradle - GitLab

For GitLab, instead of a workflow file, we need to add or modify your existing GitLab CI configuration in the root folder named .gitlab-ci.yml. An example of such file is given below, full details of the vulnerabilities step can found here (opens new window).

stages:
- build
- test

build:
  stage: build
  image: gradle:6.5

  script:
  - sh ./gradlew dependencies > .debricked-gradle-dependencies.txt

  artifacts:
    paths:
    - .debricked-gradle-dependencies.txt
    expire_in: 1 day

vulnerabilities:
  stage: test
  image:
    name: debricked/debricked-scan
    entrypoint: ["/gitlab-ci.sh"]
  script: echo "Done"
  variables:
    USERNAME: $DEBRICKED_USERNAME
    PASSWORD: $DEBRICKED_PASSWORD

Add the environment variables DEBRICKED_USERNAME and DEBRICKED_PASSWORD, and do not forget to mask the password so that it does not show up in the logs. See here for how to add the variables.

Maven - GitHub

A GitHub example of a setup using Maven can be found here (opens new window). Check the Gradle example above to see how to add GitHub actions.

Add the secrets DEBRICKED_USERNAME and DEBRICKED_PASSWORD, and do not forget to mask the password so that it does not show up in the logs.

Maven - GitLab

For GitLab, instead of a workflow file, we need to add or modify your existing GitLab CI configuration in the root folder named .gitlab-ci.yml. An example of such file is given below, full details of the vulnerabilities step can found here.

stages:
- build
- test

build:
  stage: build
  image: maven:3.6.3-jdk-11

  script: 
  - mvn dependency:tree
    -DoutputFile=.debricked-maven-dependencies.tgf
    -DoutputType=tgf

  artifacts:
    paths:
    - .debricked-maven-dependencies.json
    expire_in: 1 day

vulnerabilities:
  stage: test
  image:
    name: debricked/debricked-scan
    entrypoint: ["/gitlab-ci.sh"]
  script: echo "Done"
  variables:
    USERNAME: $DEBRICKED_USERNAME
    PASSWORD: $DEBRICKED_PASSWORD

Add the environment variables DEBRICKED_USERNAME and DEBRICKED_PASSWORD, and do not forget to mask the password so that it does not show up in the logs. See here for how to add the variables.