Security alerts for built-in Gradle plugins

Gradle’s stock version of checkstyle and pmd plugins appear to have CVE’s.


plugins {
    id 'checkstyle'
    id 'net.ossindex.audit' version '0.4.11'
    id 'pmd'


$ gradle audit

> Task :audit FAILED
2 unignored (of 2 total) vulnerabilities found introduces which has 1 vulnerabilities
=> [CVE-2020-8908] A temp directory creation vulnerability exists in all versions of Guava, allowin... (see
net.sourceforge.pmd:pmd-java:6.39.0 introduces commons-io:commons-io:2.6 which has 1 vulnerabilities
=> [CVE-2021-29425] In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normaliz... (see

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':audit'.
> Too many vulnerabilities (2) found.

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.

* Get more help at

Deprecated Gradle features were used in this build, making it incompatible with Gradle 8.0.

You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.


1 actionable task: 1 executed

When will these components get patched?

I’m using gradle 7.4.2 from Homebrew.