iamsanjay commented on PR #3502: URL: https://github.com/apache/solr/pull/3502#issuecomment-3217716195
> How did you choose this config? Short answer: ChatGPT. Long answer: The Dependency Graph was pulling in Gradle/plugin tooling (buildscript classpath, plugin classpaths, annotation processors, etc.), which added noise. I’m pruning the submission to keep only real app/test classpaths and exclude tooling. I also tag scopes so we can focus security on what actually ships. 1. What we submit (include/exclude) - `DEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS` → only: compileClasspath, runtimeClasspath, testCompileClasspath, testRuntimeClasspath. - `DEPENDENCY_GRAPH_EXCLUDE_CONFIGURATIONS `→ drop tooling: classpath, .*PluginClasspath, kotlinCompilerClasspath, kaptClasspath, annotationProcessor, detachedConfiguration.*. 2. How we scope it (runtime vs development) - `DEPENDENCY_GRAPH_RUNTIME_INCLUDE_CONFIGURATIONS` → treat runtimeClasspath as runtime (what ships). - `DEPENDENCY_GRAPH_RUNTIME_EXCLUDE_CONFIGURATIONS` → keep testRuntimeClasspath out of runtime; everything else is development. (Strictly optional, but makes the scope labels cleaner.) Cleaner Dependency Graph/SBOM and more relevant Dependabot alerts—JUnit/Mockito/tooling CVEs won’t show up as runtime risks. We can filter by scope and fix runtime issues first. Please review Gradle can be surprising; there’s a real chance I excluded something we actually want tracked. If you see a config we should include , let me know and I’ll add it. OWASP Dependency-Check is still enabled—I’ll cross-check its findings against GitHub’s graph and follow up on any gaps. https://github.com/gradle/github-dependency-graph-gradle-plugin -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
