今天在為自己的專案做CVE 弱點掃描,解決過程中需要為專案進行 plugin 相依升級。在 build.gradle 設定如下
- build.gradle
configurations{
// 強制移除
implementation {
exclude group: 'com.h2database' //CVE-2022-45868,CVE-2022-23221,CVE-2021-42392
exclude group: "org.graalvm.sdk"
exclude group: "com.bertramlabs.plugins:asset-pipeline-core"
}
// 強制升級
all{
resolutionStrategy.eachDependency { DependencyResolveDetails details ->
ModuleVersionSelector requested = details.requested
List forcePlugins = [
[group: 'org.yaml', name: 'snakeyaml', useVersion: '1.33'],
]
forcePlugins.each {forcePlugin ->
if (requested.group == forcePlugin.group && requested.name == forcePlugin.name ) {
details.useVersion forcePlugin.useVersion
}
}
}
}
}