Hello folks, 👋🏽 I’m working towards fixing a vulnerability from

org.json

and I noticed that the vulnerability for my gradle project is using the

dataFile

scope. For one of my projects, I addressed it by doing:

dependencies {
        dataFiles("org.json","json","20230227")
}

However, for another project, I get the error:

Configuration with name 'dataFiles' not found.

Would any of you have any suggestion what could I could be possible be doing wrong? Any help is greatly appreciated. BTW: Using gradle 8.1.1 in both.

datafiles is a custom gradle configuration defined in your first project. The second project does not define that configuration hence the error. You’ll need to assess the second project to determine if it uses that dependency, and if so on which configurations.

Thanks for your reply Chris. That's what has been the problem from my view. I'm not able to find the usage of the reference for the library at all. Already tried many things. Do you have any suggestions on where I would check for such configuration? Thanks for the tip regarding the constraint. It is definitely better to use that, good point.

have you trying a build scan (

./gradlew build --scan

) to identify dependencies?

I haven’t actually tried

./gradlew build --scan

I tried

./gradlew dependencies

though.

you’ll need to repeat that for each project, e.g.

:project:dependencies

- by itself it only shows dependencies for the root project. Try a scan, it’s more interactive / searchable.

Just to confirm I understand, would running,

./gradlew build --scan

suffice the request? I mean, it looks like I need to accept Term and Conditions in order to get it published. Not sure how safe it would be to do that though. 👀

your call on the safety. It does have all the deets needed to diagnose issues such as this.

Is there anyway to avoid that on going to public? I mean, can’t I get the output on machine only? Another option is, If I use the dependency analyser from IntellijIdea, would that help in anyway? Because I can definitely see the reference for the library there.

Outside of the scan this reference may help with other options.

Could this be the culprit?

Yes

This is what the details return.

Seems like snyk plug-in is reporting vulnerability on itself

But what is confusing me now is: What could preventing me from “overriding” this dataFile dependency if I try to do:

constraints {
            dataFiles("org.json","json","20230227") {
                because("<https://security.snyk.io/vuln/SNYK-JAVA-ORGJSON-5488379>")
            }
        }

And it fails with:

Configuration with name 'dataFiles' not found.

* Try:
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.

* Exception is:
org.gradle.api.artifacts.UnknownConfigurationException: Configuration with name 'dataFiles' not found.

Yes. It is in dataFiles in one project but not others.

If I remember correctly, gradle 8.1.1 already supports dataFiles by default. It is just not being recognised. I have also tried, but without much help.

configurations {
   dataFiles
}

Datafiles is not a gradle provided configuration. It is being created by some other plugin in some projects but not others.

Maybe I’m not expressing myself well, haha. Apologies for that. Let’s think in this scenario: 1. Repository A (

build.gradle.kts_1

) a. This repository uses Snyk plugin; b. It also uses gradle 8.1.1 c. When I updated

build.gradle.kts

and added the

constraint

, overriding

dataFiles

, it worked as it should. 2. Repository B (

build.gradle.kts_2

) a. This repository uses Snyk plugin; b. It also uses gradle 8.1.1 c. When I updated

build.gradle.kts

and added the

constraint

, overriding

dataFiles

, it failed with the error above. Is there anything I might be missing here? For example, is there any possible configuration that could affect how gradle resolve the configuration from within

dependencies

?

Assuming those are projects (not repositories), Project B does not have a dataFiles configuration, so why are you trying to fix it there? Does Project B have that vulnerable json lib in a different configuration?

They are independent repositories. (complete separate applications). Each of them have their own plugins and dependencies, but both of them have:

plugins {
id("io.snyk.gradle.plugin.snykplugin") version "0.4"
}

Which I suppose that where the vulnerable dependency is coming from.

So they are separate Gradle projects. They likely have different sets of plugins. Does snyk not tell you which configuration (on Project B) the vulnerability is on?

Yes, it is the same json package. If I simply add:

dataFiles("org.json","json","20230227")

gradle will fail to build due to the

dataFiles

keyword.

Not sure what same json package means. What is the snyk output from just Project B?

Not sure what same json package means.

The same dependency

org.json:json

.

What is the snyk output from just Project B?

I don’t think the problem here is with the snyk execution (since I’m not invoking it). The build gradle does not compile, because when I make usage of the

dataFiles

keyword under

dependencies

(from

build.gradle.kts

), the exception is thrown by simply trying to re-sync the project.

Yes. For the reason noted above. You can’t apply the fix from one project to a completely different project, there’s no expectation that will magically work. You’ll need to assess the vulnerabilities in Project B and action those specifically.

image.png

if the fix for project a is completely independent why the expectation it will work on project b? Assess project b and fix its specific vulnerabilities. Datafiles isn’t the problem - it’s the erroneous use of a project a fix in a separate project with different configuration.

I was just trying to resolve the vulnerability issue from Project B the same way I resolved for other 2 projects. Which was by overriding the vulnerable dependency by specifying the

dataFiles

within the

dependency

. But for some odd reason, using

dataFiles

in project B, doesn’t compile. I will see if I can investigate further, but it is very odd.

It’s not an odd reason, project b has a different configuration that doesn’t use datafiles.

According to the dependencies scan, it does use.

gradle -q dependencies --configuration dataFiles                                                                         

------------------------------------------------------------
Root project 'plugins'
------------------------------------------------------------

dataFiles - The data artifacts to be processed for this plugin.
\--- org.json:json:20200518

A web-based, searchable dependency report is available by adding the --scan option.

Is project B a sub project of another one, or a standalone project?

It is a standalone project.

ah yea. apply in your main build.gradle.kts (for ‘plugins’ project); placing it somewhere that affects the subprojects is causing the failure as those subprojects don’t have the dataFiles configuration.

Yep, I think that might be the issue. So I suppose I would need to do something like:

project("plugins") {
    dependencies {
        constraints {
            dataFiles("org.json","json","20230227") {
                because("<https://security.snyk.io/vuln/SNYK-JAVA-ORGJSON-5488379>")
            }
        }
    }
}

correct!

Is that how I reference the name of the root.name project? Because I got the error:

Project with path 'plugins' could not be found in root project 'plugins'.

I will see if I can find the issue.

this is not necessary, you are already in the project:

project("plugins") {

What is not necessary? Sorry, I’m very newbie with Gradle

it should be this:

dependencies {
        constraints {
            dataFiles("org.json","json","20230227") {
                because("<https://security.snyk.io/vuln/SNYK-JAVA-ORGJSON-5488379>")
            }
        }
    }

It worked.