{"id":15044120,"url":"https://github.com/gradle/github-dependency-graph-gradle-plugin","last_synced_at":"2025-04-06T08:13:48.802Z","repository":{"id":37756340,"uuid":"434412403","full_name":"gradle/github-dependency-graph-gradle-plugin","owner":"gradle","description":"Gradle Plugin for Extracting Dependency Information to send to GitHub","archived":false,"fork":false,"pushed_at":"2025-03-03T21:24:01.000Z","size":2540,"stargazers_count":89,"open_issues_count":8,"forks_count":15,"subscribers_count":16,"default_branch":"main","last_synced_at":"2025-03-30T07:08:28.174Z","etag":null,"topics":["dependabot","dependency-analysis","github","gradle","gradle-bt","gradle-bt-software"],"latest_commit_sha":null,"homepage":"","language":"Groovy","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gradle.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-12-03T00:04:03.000Z","updated_at":"2025-03-23T01:42:25.000Z","dependencies_parsed_at":"2024-01-02T20:29:04.963Z","dependency_job_id":"41d71a04-182c-483c-a616-1fad8ec05f08","html_url":"https://github.com/gradle/github-dependency-graph-gradle-plugin","commit_stats":{"total_commits":321,"total_committers":6,"mean_commits":53.5,"dds":"0.26168224299065423","last_synced_commit":"b48ed39a2175f6591568a93b0b12ce24430db984"},"previous_names":["gradle/github-dependency-graph-gradle-plugin"],"tags_count":21,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gradle%2Fgithub-dependency-graph-gradle-plugin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gradle%2Fgithub-dependency-graph-gradle-plugin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gradle%2Fgithub-dependency-graph-gradle-plugin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gradle%2Fgithub-dependency-graph-gradle-plugin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gradle","download_url":"https://codeload.github.com/gradle/github-dependency-graph-gradle-plugin/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247451665,"owners_count":20940944,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dependabot","dependency-analysis","github","gradle","gradle-bt","gradle-bt-software"],"created_at":"2024-09-24T20:50:06.359Z","updated_at":"2025-04-06T08:13:48.780Z","avatar_url":"https://github.com/gradle.png","language":"Groovy","readme":"# GitHub Dependency Graph Gradle Plugin\n\nA Gradle plugin for generating a GitHub dependency graph for a Gradle build, which can be uploaded to the [GitHub Dependency Submission API](https://docs.github.com/en/rest/dependency-graph/dependency-submission).\n\n## Usage\nThis plugin is designed to be used in a GitHub Actions workflow, and is tightly integrated into the \n[gradle/actions/dependency-submission](https://github.com/gradle/actions/tree/main/dependency-submission) action.\n\nFor other uses, the [core plugin](https://plugins.gradle.org/plugin/org.gradle.github-dependency-graph-gradle-plugin) (`org.gradle.github.GitHubDependencyGraphPlugin`) \nshould be applied to the `Gradle` instance via a Gradle init script as follows:\n\n```groovy\nimport org.gradle.github.GitHubDependencyGraphPlugin\ninitscript {\n repositories {\n maven {\n url = uri(\"https://plugins.gradle.org/m2/\")\n }\n }\n dependencies {\n classpath(\"org.gradle:github-dependency-graph-gradle-plugin:+\")\n }\n}\napply plugin: GitHubDependencyGraphPlugin\n```\n\nThis causes 2 separate plugins to be applied, that can be used independently:\n- `GitHubDependencyExtractorPlugin` collects all dependencies that are resolved during a build execution and writes these to a file. The output file can be found at `\u003croot\u003e/build/reports/github-depenency-graph-snapshots/\u003cjob-correlator\u003e.json`.\n- `ForceDependencyResolutionPlugin` creates a `ForceDependencyResolutionPlugin_resolveAllDependencies` task that will attempt to resolve all dependencies for a Gradle build, by simply invoking `dependencies` on all projects.\n\n### Required environment variables\n\nThe following environment variables configure the snapshot generated by the `GitHubDependencyExtractorPlugin`. See the [GitHub Dependency Submission API docs](https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28) for details:\n- `GITHUB_DEPENDENCY_GRAPH_JOB_CORRELATOR`: Sets the `job.correlator` value for the dependency submission\n- `GITHUB_DEPENDENCY_GRAPH_JOB_ID`: Sets the `job.id` value for the dependency submission\n- `GITHUB_DEPENDENCY_GRAPH_REF`: Sets the `ref` value for the commit that generated the dependency graph\n- `GITHUB_DEPENDENCY_GRAPH_SHA`: Sets the `sha` value for the commit that generated the dependency graph\n- `GITHUB_DEPENDENCY_GRAPH_WORKSPACE`: Sets the root directory of the github repository. Must be an absolute path.\n- `DEPENDENCY_GRAPH_REPORT_DIR` (optional): Specifies where the dependency graph report will be generated. Must be an absolute path.\n\nEach of these values can also be provided via a system property. \neg: Env var `DEPENDENCY_GRAPH_REPORT_DIR` can be set with `-DDEPENDENCY_GRAPH_REPORT_DIR=...` on the command-line.\n\n### Filtering which Gradle Configurations contribute to the dependency graph\n\nIf you do not want to include every dependency configuration in every project in your build, you can limit the\ndependency extraction to a subset of these.\n\nThe following parameters control the set of projects and configurations that contribute dependencies.\nEach of these is a regular expression value, and can set either as an environment variable or as a system property on the command line.\n\n| Property | Description | Default |\n|-----------------------------------------|---------------------------|---------------------------------|\n| DEPENDENCY_GRAPH_INCLUDE_PROJECTS | Projects to include | All projects are included |\n| DEPENDENCY_GRAPH_EXCLUDE_PROJECTS | Projects to exclude | No projects are excluded |\n| DEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS | Configurations to include | All configurations are included |\n| DEPENDENCY_GRAPH_EXCLUDE_CONFIGURATIONS | Configurations to exclude | No configurations are excluded |\n\n### Controlling the scope of dependencies in the dependency graph\n\nThe GitHub dependency graph allows a scope to be assigned to each reported dependency.\nThe only permissible values for scope are 'runtime' and 'development'.\n\nThe following parameters control the set of projects and configurations that provide 'runtime' scoped dependencies.\nAny dependency resolution that does not match these parameters will be scoped 'development'.\n\nEach of these parameters is a regular expression value, and can set either as an environment variable or as a system property on the command line.\n\n| Property | Description | Default |\n|-------------------------------------------------|-----------------------------------------------------------|---------------------------------|\n| DEPENDENCY_GRAPH_RUNTIME_INCLUDE_PROJECTS | Projects that can provide 'runtime' dependencies | All projects are included |\n| DEPENDENCY_GRAPH_RUNTIME_EXCLUDE_PROJECTS | Projects that do not provide 'runtime' dependencies | No projects are excluded |\n| DEPENDENCY_GRAPH_RUNTIME_INCLUDE_CONFIGURATIONS | Configurations that contain 'runtime' dependencies | All configurations are included |\n| DEPENDENCY_GRAPH_RUNTIME_EXCLUDE_CONFIGURATIONS | Configurations that do not contain 'runtime' dependencies | No configurations are excluded |\n\nBy default, no scope is assigned to dependencies in the graph. To enable scopes in the generated dependency graph,\nat least one of these parameters must be configured.\n\nFor dependencies that are resolved in multiple projects and/or multiple configurations, only a single 'runtime' scoped resolution\nis required for that dependency to be scoped 'runtime'.\n\n### Gradle compatibility\n\nThe plugin should be compatible with most versions of Gradle \u003e= 5.2, and has been tested against \nGradle versions \"5.2.1\", \"5.6.4\", \"6.0.1\", \"6.9.4\", \"7.1.1\" and \"7.6.3\", as well as all patched versions of Gradle 8.x.\n\nThe plugin is compatible with running Gradle with the configuration-cache enabled: this support is\nlimited to Gradle \"8.1.0\" and later. Earlier Gradle versions will not work with `--configuration-cache`.\nNote that no dependency graph will be generated when configuration state is loaded from the configuration-cache.\n\n| Gradle version | Compatible | Compatible with configuration-cache |\n| -------------- | ------- | ------------------------ |\n| 1.x - 4.x | :x: | :x: |\n| 5.0 - 5.1.1 | :x: | :x: |\n| 5.2 - 5.6.4 | ✅ | :x: |\n| 6.0 - 6.9.4 | ✅ | :x: |\n| 7.0 - 7.0.2 | :x: | :x: |\n| 7.1 - 7.6.3 | ✅ | :x: |\n| 8.0 - 8.0.2 | ✅ | :x: |\n| 8.1+ | ✅ | ✅ |\n\n### Dependency verification\n\nWhen using this plugin with [dependency signature verification enabled](https://docs.gradle.org/current/userguide/dependency_verification.html#sec:signature-verification), \nthe you should be able to update your `dependency-verification.xml` file using `--write-verification-metadata pgp,sha256`.\n\nHowever, if this doesn't work, you can add the following to your `dependency-verificaton.xml` file:\n\n```xml\n\u003ctrusted-keys\u003e\n \u003ctrusted-key id=\"7B79ADD11F8A779FE90FD3D0893A028475557671\" group=\"org.gradle\" name=\"github-dependency-graph-gradle-plugin\"/\u003e\n\u003c/trusted-keys\u003e\n```\n\n## Using the plugin to generate dependency reports\n\nAs well as the `GitHubDependencyGraphPlugin`, which is tailored for use by the [gradle/actions/dependency-submission](https://github.com/gradle/actions/tree/main/dependency-submission) GitHub Action, this repository also provides the `SimpleDependencyGraphPlugin`, which generates dependency-graph outputs in simple text format.\n\nTo use the `SimpleDependencyGraphPlugin` you'll need to create an `init.gradle` file to apply the plugin to your project:\n\n```groovy\ninitscript {\n repositories {\n gradlePluginPortal()\n }\n dependencies {\n classpath \"org.gradle:github-dependency-graph-gradle-plugin:+\"\n }\n}\napply plugin: org.gradle.dependencygraph.simple.SimpleDependencyGraphPlugin\n```\n\nand then execute the task to resolve all dependencies in your project:\n\n```shell\n./gradlew -I init.gradle --dependency-verification=off --no-configuration-cache --no-zconfigure-on-demand :ForceDependencyResolutionPlugin_resolveAllDependencies\n```\n\nYou'll find the generated files in `build/reports/dependency-graph-snapshots`.\n\n### Using dependency reports to determine the underlying source of a dependency\n\nAfter generating the dependency reports as described, it is possible to determine the dependency source by:\n\n1. Locate the dependency (including matching version) in the `dependency-resolution.json` file.\n2. Inspect each `resolvedBy` entry for the `path` and `configuration` values. The `scope` value is unimportant in this context.\n3. Use the built-in [dependencyInsight](https://docs.gradle.org/current/userguide/viewing_debugging_dependencies.html#dependency_insights) task to determine exactly how the dependency was resolved. The `path` indicates the project where the task should be executed, and the `configuration` is an input to the task.\n\nFor example, given the following from the `dependency-resolution.json` report:\n```json\n \"dependency\" : \"com.google.guava:guava:32.1.3-jre\",\n \"effectiveScope\" : \"Unknown\",\n \"resolvedBy\" : [ {\n \"path\" : \":my-subproject\",\n \"configuration\" : \"compileClasspath\",\n \"scope\" : \"Unknown\"\n }, ...\n```\n\nYou would run the command:\n```shell\n./gradlew :my-subproject:dependencyInsight --configuration compileClasspath --dependency com.google.guava:guava:32.1.3-jre\n```\n\n#### Dealing with 'classpath' configuration\n\nIf the configuration value in `dependency-resolution.json` is \"classpath\", or for some other reason the above instructions do not work,\nit is possible to recostruct the full resolution path using the generated `dependency-graph.json` file.\n\nSearch for the exact dependency version in `dependency-graph.json`, and you'll see an \"id\" entry for that dependency as well as one or more\n\"dependencies\" entries. By tracing back through the dependencies you can determine the underlying source of the dependency.\n\n\n## Building/Testing\n\nTo build and test this plugin, run the following task:\n```shell\n./gradlew check\n```\n\nTo self-test this plugin and generate a dependency graph for this repository, run:\n```shell\n./plugin-self-test-local\n```\n\nThe generated dependency graph will be submitted to GitHub only if you supply a\n[GitHub API token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)\nvia the environment variable `GITHUB_TOKEN`.\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgradle%2Fgithub-dependency-graph-gradle-plugin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgradle%2Fgithub-dependency-graph-gradle-plugin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgradle%2Fgithub-dependency-graph-gradle-plugin/lists"}