- Dependabot does not honor Gradle's
resolutionStrategy
. Here is the issue for dependabot not working with gradle's resolutionStrategy. A typical usage of Gradle's resolutionStrategy is for upgrading vulnerable dependencies that are transitive to the application. - Dependabot does not show which vulnerabilities have been resolved by the PR before PR is merged to main branch
- Dependabot uses public runners and cannot access private artifact repositories (possible workaround using private runners)
- Gradle plugin org.owasp.dependencycheck takes into account proper versions from
resolutionStrategy
and also lists at least one other vulnerability that is not listed by Dependabot.
Last active
July 12, 2024 17:48
-
-
Save pavelfomin/71b2c8e67dcc00acfb54d75211d3ff04 to your computer and use it in GitHub Desktop.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment