March 20, 2025
using osv-scanner
-
from google
how it works
parses lockfiles (e.g. gradle.lockfile) for dependencies and checks against it database.
run
go install github.com/google/osv-scanner/cmd/osv-scanner@v1 cd fred gradlew dependencies --write-locks cd .. osv-scanner --experimental-licenses-summary fred
result:
╭─────────────────────────────────────┬──────┬───────────┬────────────────────────────────────│ OSV URL │ CVSS │ ECOSYSTEM │ ├─────────────────────────────────────┼──────┼───────────┼────────────────────────────────────│ https://osv.dev/GHSA-5mg8-w23w-74h3 │ 3.3 │ Maven │ com.google.guava:guava │ 31.0.1-jre │ fred\gradle.lo │ https://osv.dev/GHSA-7g45-4rm6-3mm3 │ 5.5 │ Maven │ com.google.guava:guava │ 31.0.1-jre │ fred\gradle.lo ≈ │ https://osv.dev/GHSA-4265-ccf5-phj5 │ 6.7 │ Maven │ org.apache.commons:commons-compress │ 1.24.0 │ fred\gradle.lo ≈ │ https://osv.dev/GHSA-4g9r-vxhx-9pgx │ 5.9 │ Maven │ org.apache.commons:commons-compress │ 1.24.0 │ fred\gradle.lo ≈ │ https://osv.dev/GHSA-mg83-c7gq-rv5c │ 7.4 │ Maven │ org.springframework.security:spring-security-crypto │ 6.4.3 │ fred\gradle.lo ≈ ╰─────────────────────────────────────┴──────┴───────────┴────────────────────────────────────╭───────────────────┬─────────────────────────╮ │ LICENSE │ NO. OF PACKAGE VERSIONS │ ├───────────────────┼─────────────────────────┤ │ Apache-2.0 │ 312 │ │ non-standard │ 37 │ │ MIT │ 35 │ │ EPL-2.0 │ 20 │ ... │ UNKNOWN │ 7 │ ╰───────────────────┴─────────────────────────╯