Description
-
What are you trying to do?
I want this plugin to automatically remediate vulnerable dependencies in my project. -
What feature or behavior is this required for?
Automatic vulnerability remediation -
How could we solve this issue? (Not knowing is okay!)
After a scan, query SonatypeIQ for the scan results. For each vulnerable dependency with an available fix, update the Gradle project with a non-vulnerable version suggested by SonatypeIQ. When the dependency version is explicitly specified in build.gradle, gradle.properties, or a local version catalog, simply replace the version. For direct dependencies where the version is determined implicitly from a BOM, add the direct dependency (if necessary) to the appropriate configuration and update its version wherever the project keeps its dependency versions. For transitive dependencies, add the transitive dependency to a constraint block against the appropriate configuration and update its version wherever the project keeps its dependency versions. -
Anything else?
Isolate this functionality in a separate task dependent on the scan task. Allow configuration to include/exclude dependencies from the update. Allow configuration to include/exclude threat levels from the update.
cc @bhamail / @DarthHater / @guillermo-varela / @shaikhu