patch for #95

src/main/groovy/org/owasp/dependencycheck/gradle/DependencyCheckPlugin.groovy

@@ -20,6 +20,9 @@ package org.owasp.dependencycheck.gradle
 
 import org.gradle.api.Plugin
 import org.gradle.api.Project
+import org.gradle.api.internal.artifacts.ivyservice.ivyresolve.strategy.VersionComparator
+import org.gradle.util.GradleVersion
+import org.gradle.api.GradleException
 import org.owasp.dependencycheck.gradle.extension.AnalyzerExtension
 import org.owasp.dependencycheck.gradle.extension.ArtifactoryExtension
 import org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension
@@ -33,6 +36,9 @@ import org.owasp.dependencycheck.gradle.tasks.Aggregate
 import org.owasp.dependencycheck.gradle.tasks.Purge
 
 class DependencyCheckPlugin implements Plugin<Project> {
+
+    static final GradleVersion MINIMUM_GRADLE_VERSION = GradleVersion.version("4.0")
+
     public static final String ANALYZE_TASK = 'dependencyCheckAnalyze'
     public static final String AGGREGATE_TASK = 'dependencyCheckAggregate'
     public static final String UPDATE_TASK = 'dependencyCheckUpdate'
@@ -46,10 +52,11 @@ class DependencyCheckPlugin implements Plugin<Project> {
     private static final String ANALYZERS_EXTENSION_NAME = "analyzers"
 
     void apply(Project project) {
+        checkGradleVersion()
         initializeConfigurations(project)
         registerTasks(project)
     }
-    
+
     void initializeConfigurations(Project project) {
         def ext = project.extensions.create(CHECK_EXTENSION_NAME, DependencyCheckExtension, project)
         ext.extensions.create(PROXY_EXTENSION_NAME, ProxyExtension)
@@ -66,4 +73,16 @@ class DependencyCheckPlugin implements Plugin<Project> {
         project.task(ANALYZE_TASK, type: Analyze)
         project.task(AGGREGATE_TASK, type: Aggregate)
     }
+
+    void checkGradleVersion(Project project) {
+        if (project != null && MINIMUM_GRADLE_VERSION.compareTo(GradleVersion.current()) > 0) {
+            if (project.plugins.contains("com.android.build.gradle.AppPlugin")) {
+                throw new GradleException("Detected ${GradleVersion.current()}; the dependency-check-gradle " +
+                        "plugin requires ${MINIMUM_GRADLE_VERSION} or higher when analyzing Android projects.")
+            } else {
+                project.logger.warn("Detected ${GradleVersion.current()}; while the dependency-check-gradle " +
+                        "plugin will work it is recommended that you upgrade to ${MINIMUM_GRADLE_VERSION} or higher.")
+            }
+        }
+    }
 }

src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy

@@ -24,9 +24,12 @@ import org.gradle.api.InvalidUserDataException
 import org.gradle.api.Project
 import org.gradle.api.artifacts.Configuration
 import org.gradle.api.artifacts.ModuleVersionIdentifier
+import org.gradle.api.artifacts.ResolvedArtifact
 import org.gradle.api.attributes.Attribute
+import org.gradle.api.internal.artifacts.configurations.DefaultConfiguration
 import org.gradle.api.tasks.Internal
 import org.gradle.api.tasks.TaskAction
+import org.gradle.util.GradleVersion
 import org.owasp.dependencycheck.Engine
 import org.owasp.dependencycheck.data.nexus.MavenArtifact
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException
@@ -58,6 +61,8 @@ abstract class AbstractAnalyze extends DefaultTask {
     @Internal
     def artifactType = Attribute.of('artifactType', String)
 
+    static final GradleVersion CUTOVER_GRADLE_VERSION = GradleVersion.version("4.0")
+
     /**
      * Calls dependency-check-core's analysis engine to scan
      * all of the projects dependencies.
@@ -417,51 +422,80 @@ abstract class AbstractAnalyze extends DefaultTask {
      * @param project the project to analyze
      * @param engine the dependency-check engine
      */
-    protected void processConfigurations(Project project, engine) {
-        project.configurations.findAll {
-            shouldBeScanned(it) && !(shouldBeSkipped(it) || shouldBeSkippedAsTest(it)) && canBeResolved(it)
+    protected void processConfigurations(Project project, Engine engine) {
+        project.configurations.findAll { Configuration configuration ->
+            shouldBeScanned(configuration) && !(shouldBeSkipped(configuration)
+                    || shouldBeSkippedAsTest(configuration)) && canBeResolved(configuration)
         }.each { Configuration configuration ->
+            if (CUTOVER_GRADLE_VERSION.compareTo(GradleVersion.current()) > 0) {
+                processConfigLegacy configuration, engine
+            } else {
+                processConfigV4 configuration, engine
+            }
+        }
+    }
 
-            String projectName = project.name
-            String scope = "$projectName:$configuration.name"
-
-            logger.info "- Analyzing ${scope}"
+    /**
+     * Process the incoming artifacts for the given project's configurations using APIs pre-gradle 4.0.
+     * @param project the project to analyze
+     * @param engine the dependency-check engine
+     */
+    protected void processConfigLegacy(Configuration configuration, Engine engine) {
+        configuration.getResolvedConfiguration().getResolvedArtifacts().collect { ResolvedArtifact artifact ->
+            def dependencies = engine.scan(artifact.getFile())
+            addInfoToDependencies(dependencies, configuration.name,
+                    artifact.moduleVersion.id.group,
+                    artifact.moduleVersion.id.name,
+                    artifact.moduleVersion.id.version)
+        }
+    }
 
-            Map<String, ModuleVersionIdentifier> componentVersions = [:]
-            configuration.incoming.resolutionResult.allDependencies.each {
-                if (it.hasProperty('selected')) {
-                    componentVersions.put(it.selected.id, it.selected.moduleVersion)
-                } else if (it.hasProperty('attempted')) {
-                    logger.warn("Unable to resolve artifact: ${it.attempted.displayName}")
-                } else {
-                    logger.warn("Unable to resolve: ${it}")
-                }
+    /**
+     * Process the incoming artifacts for the given project's configurations using APIs introduced in gradle 4.0+.
+     * @param project the project to analyze
+     * @param engine the dependency-check engine
+     */
+    protected void processConfigV4(Configuration configuration, Engine engine) {
+        String projectName = project.name
+        String scope = "$projectName:$configuration.name"
+
+        logger.info "- Analyzing ${scope}"
+
+        Map<String, ModuleVersionIdentifier> componentVersions = [:]
+        configuration.incoming.resolutionResult.allDependencies.each {
+            if (it.hasProperty('selected')) {
+                componentVersions.put(it.selected.id, it.selected.moduleVersion)
+            } else if (it.hasProperty('attempted')) {
+                logger.warn("Unable to resolve artifact: ${it.attempted.displayName}")
+            } else {
+                logger.warn("Unable to resolve: ${it}")
             }
+        }
 
-            def types = config.analyzedTypes
+        def types = config.analyzedTypes
 
-            types.each { type ->
-                configuration.incoming.artifactView {
-                    attributes {
-                        it.attribute(artifactType, type)
-                    }
-                }.artifacts.each {
-                    def deps = engine.scan(it.file, scope)
-                    ModuleVersionIdentifier id = componentVersions[it.id.componentIdentifier]
-                    if (id==null) {
-                        logger.debug "Could not find dependency {'artifact': '${it.id.componentIdentifier}', 'file':'${it.file}'}"
-                    } else {
-                        if (deps == null) {
-                            if (it.file.isFile()) {
-                                addDependency(engine, projectName, configuration.name,
-                                        id.group, id.name, id.version, it.id.displayName, it.file)
-                            } else {
-                                addDependency(engine, projectName, configuration.name,
-                                        id.group, id.name, id.version, it.id.displayName)
-                            }
+        types.each { type ->
+            configuration.incoming.artifactView {
+                attributes {
+                    it.attribute(artifactType, type)
+                }
+            }.artifacts.each {
+                def deps = engine.scan(it.file, scope)
+                ModuleVersionIdentifier id = componentVersions[it.id.componentIdentifier]
+                if (id == null) {
+                    logger.debug "Could not find dependency {'artifact': '${it.id.componentIdentifier}', " +
+                            "'file':'${it.file}'}"
+                } else {
+                    if (deps == null) {
+                        if (it.file.isFile()) {
+                            addDependency(engine, projectName, configuration.name,
+                                    id.group, id.name, id.version, it.id.displayName, it.file)
                         } else {
-                            addInfoToDependencies(deps, scope, id.group, id.name, id.version)
+                            addDependency(engine, projectName, configuration.name,
+                                    id.group, id.name, id.version, it.id.displayName)
                         }
+                    } else {
+                        addInfoToDependencies(deps, scope, id.group, id.name, id.version)
                     }
                 }
             }
@@ -544,7 +578,7 @@ abstract class AbstractAnalyze extends DefaultTask {
             dependency.version = version
             dependency.packagePath = "${group}:${name}:${version}"
             dependency.addProjectReference("${projectName}:${configurationName}")
-            if (file!=null && file.getName().endsWith(".aar")) {
+            if (file != null && file.getName().endsWith(".aar")) {
                 dependency.ecosystem = "android"
             } else {
                 dependency.ecosystem = "gradle"