1

I use owasp dependency-check:dependencyCheckAnalyze to verify dependency vulnerabilities.

It always shows that apple:AppleJavaExtensions has a severe vulnerability, but I don't remember I use this dependency.

I tried to locate this dependency using ./gradlew dependencyInsight --dependency AppleJavaExtensions but it says No dependencies matching given input were found in configuration ':compileClasspath'.

How to find this dependency to fix the warning?

update: runtime dependencies graph: https://pastebin.com/uDpiiSUM

LunaticJape
  • 1,446
  • 4
  • 21
  • 39
  • Can you share your gradle dependency file? – lealceldeiro Oct 03 '18 at 16:50
  • Doesn't this help: https://stackoverflow.com/questions/21645071/using-gradle-to-find-dependency-tree? – lealceldeiro Oct 03 '18 at 16:51
  • it shows a very long list that my console could not display all of them. So I used `./gradlew buildEnvironment --scan`, but it does not contain any apple dependency. – LunaticJape Oct 03 '18 at 17:52
  • Are you building with the version of Java that comes with Mac OS X? If so, you should try to get hold of a recent JDK and use that. 1.8.x at the very least. I suspect that's where the vulnerability is coming from, not your Gradle dependencies. – Peter Ledbrook Oct 05 '18 at 07:51
  • @PeterLedbrook no, I build in Linux. – LunaticJape Oct 05 '18 at 15:44
  • Well, a Google search on AppleJavaExtensions definitely seems to indicate that it's specific to Java on Mac OS X. I have absolutely no idea why you'd see it on Linux. Is the build doing anything unusual? Alternatively, is there a `buildscript {}` block or any extra configurations that the build defines? – Peter Ledbrook Oct 06 '18 at 19:53

0 Answers0