Supply chain security is a big deal, and it’s dangerously easy to ignore. For Android or JVM developers, the sheer scale of the ecosystem is our greatest strength, and our greatest risk.
So last time I checked dependabot was still incapable of handling lockfiles with version catalogs in place because it treats version catalogs like they are a lock file.
It was also incapable of handling an upgrade of Gradle wrapper correctly and so is mend renovate because it takes running wrapper three times to do it correctly…
And there were ongoing problems with getting it to work if you were using github’s Maven repository support because of issues requiring Gradle to then be credentialed and not being able to inject those credentials. You can’t just tell it it can upgrade and do a merge without running your tests because that would not be a good idea.
Are we just going to ignore that by default Gradle doesn’t even try to verify that what it received from the server is what it thinks it should have? Meaning no check summing is dealt with at all. Certainly Gradle doesn’t verify signatures and in fact doesn’t require them for the plug-in portal which means most plugins are probably not signed at all.
Lastly are we just going to ignore the Gradle init scripts can be injected into your environment without you knowing about them and there’s no way to tell what they’re doing? This is the real reason that Gradle is going to be the next big supply chain vulnerability. All it takes is getting an init script into somebody’s environment and the whole thing can fall over. Now I’m executing arbitrary code that I didn’t even know is there even if I had known it was there there is no way for me to have said this is the code I know is there and I trusted. There’s no way to prove that code didn’t change out from under me. I mean if memory serves correctly part of the reason the dependency submission thing works is an init script hooking into your Gradle that you don’t know about, that can modify your build behavior.
In its current state Gradle Is begging to be The Java Community’s weak link.
I tried to use dependency locking to produce a lockfile and it was pain in the ass. Gradle would only put the info when it actually downloaded an artifact, which may happen after configuration phase, during build. Or not happen at all when dependency is platform-specific. Rust’s Cargo by contrast immediately puts all dependencies in the graph in the lockfile, including those that won’t be downloaded on the current system.