Set Up the SourceClear Gradle Plugin

SourceClear Software Composition Analysis

The SourceClear Gradle plugin allows you to automate the scanning of your Gradle repositories. The results of plugin scans can be optionally uploaded to the SourceClear platform to a specific organization or to your personal environment.

About this task

Procedure

  1. From the left sidebar, select the team for which you want to create the agent, and select Agents > New Agent > Gradle plugin
  2. Choose to either set your API token as an environment variable in the environment where you will build your Gradle repository, or add the token directly to the configuration within your build.gradle file:
    • Run the following command to set your environment variable:
      export SRCCLR_API_TOKEN=<apiToken>
    • Edit your build.gradle file and apply the following changes:
                  //For Gradle before 2.2.0
                                  //Add gradle plugin location
                                  buildscript {
                                  repositories {
                                  maven {
                                  url "https://plugins.gradle.org/m2/"
                                  }
                                  }
                                  }
                                  //Add 'classpath("com.srcclr:gradle:2.2.15")'  to your dependencies
                                  
                                  buildscript {
                                  ...
                                  dependencies {
                                  classpath "gradle.plugin.com.srcclr:gradle:2.2.15"
                                  }
                                  }
                                  
                                  apply plugin: "srcclr"
                                  
                                  srcclr {
                                  apiToken = "<apiTokenHere>" //Only required if environment variable is not set
                                  }
                                      
                  //For Gradle 2.2.0 or higher
                                  ...
                                  
                                  plugins {
                                  id "com.srcclr.gradle" version "2.2.15"
                                  }
                                  
                                  apply plugin: "srcclr"
                                  
                                  srcclr {
                                  apiToken = "<apiTokenHere>" //Only required if environment variable is not set
                                  }
                              
  3. Optionally, add additional configuration options, as listed here.
  4. Save the changes to the build.gradle file.
    You can run the SourceClear plugin during your build by adding the srcclr argument to the gradlew command.
  5. To perform dependency resolution and build class files (the minimum requirements for vulnerable methods analysis), run the following command:
    ./gradlew srcclr
  6. For larger builds, you can run:
    ./gradlew clean build srcclr