GitHub Community
Do gradle dependencies submitted via dependency submission API receive Dependabot security alerts? #45544
-
Select Topic AreaQuestion BodyWe used https://github.com/mikepenz/gradle-dependency-submission github action by @mikepenz to submit our dependencies. Documentation says that "You will only get Dependabot alerts for dependencies that are from one of the supported ecosystems of the GitHub Advisory Database." Since gradle eventually uses maven repositories to get dependencies we're not sure if such dependencies are treated as a part of maven ecosystem or not. Is it the case? A quick test adding a dependency with low severity to the project and having this action add it to the graph didn't trigger the alert so far. We're not sure if it's timing - i.e. security alerts are run at certain intervals and we just need to wait a bit for an alert to appear, or if gradle is considered a separate ecosystem from security alerts perspective. Will such dependencies receive Dependabot security alerts? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Update: the setup described above works, we just suspect the first execution when you add it may depend on dependabot running frequency, whether it is daily or weekly. This is just an assumption, maybe in reality it was some temporary hiccup. Now on any push to master we have dependency graph updated and vulnerabilities reported in security tab are also updated. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks a lot @tiurin for the update. We use the same github action and for some reason security alerts are not showing. Do you mind sharing some detail about your setup ? Specifically:
|
Beta Was this translation helpful? Give feedback.
-
+1 on this one. Please share info about your setup 🙏 |
Beta Was this translation helpful? Give feedback.
Update: the setup described above works, we just suspect the first execution when you add it may depend on dependabot running frequency, whether it is daily or weekly. This is just an assumption, maybe in reality it was some temporary hiccup. Now on any push to master we have dependency graph updated and vulnerabilities reported in security tab are also updated.