Safeguard
Tag

gradle

Safeguard articles tagged "gradle" — guides, analysis, and best practices for software supply chain and application security.

14 articles

Supply Chain Security

Generating CycloneDX and SPDX SBOMs from Java Projects with Maven and Gradle

CISA's 2025 draft update proposes four new fields on top of NTIA's minimum elements, from 7 to 11 — most Maven and Gradle-generated SBOMs still fail that bar.

Jul 12, 20266 min read
Best Practices

Auditing and pinning transitive Java dependencies with Maven and Gradle

Maven resolves version conflicts by nearest path, not highest version — one new direct dependency can silently reintroduce a patched CVE.

Jul 10, 20266 min read
Security Guides

Gradle Dependency Security: Locking, Verification, and Version Catalogs

Secure Gradle builds in 2026 with dependency locking, cryptographic dependency verification, version catalogs, and reachability-aware CVE scanning.

Jul 4, 20265 min read
Open Source Security

Securing mobile app dependencies: CocoaPods and Gradle

CocoaPods and Gradle power millions of mobile apps. See how orphaned pods, build-script RCE, and dependency confusion put them at real risk today.

Apr 29, 20267 min read
Application Security

Reachability Analysis for Java: A 2026 Deep Dive

Java reachability under classpath reality: reflection, Spring autowiring, shaded JARs, Log4Shell, and what modern tools actually resolve versus over-approximate.

Mar 4, 20266 min read
Open Source Security

Scanning Kotlin and Android projects with OWASP Dependenc...

A step-by-step guide to scanning Kotlin and Android projects with OWASP Dependency-Check: Gradle plugin setup, CI automation, triage, and suppressions.

Jan 29, 20268 min read
Open Source Security

Maven and Gradle dependency supply chain attacks in the J...

How attackers exploit Maven Central and the Gradle Plugin Portal — dependency confusion, malicious artifacts, and plugin takeovers — and how to defend Java builds.

Jan 22, 20267 min read
Open Source Security

How Snyk resolves Maven and Gradle dependency graphs incl...

Snyk doesn't parse pom.xml or build.gradle statically -- it invokes real Maven and Gradle tooling to compute the exact dependency graph your build produces.

Aug 30, 20257 min read
Engineering

Java Supply Chain Security Beyond Log4Shell

Log4Shell was the fire drill. The structural problems — unverified Maven resolution, invisible shaded jars, sprawling transitive graphs — are still there. Here's what to actually fix.

Aug 21, 20256 min read
Open Source Security

Gradle Version Catalogs Security

Gradle version catalogs centralise dependency versions in one file. The security payoff is concrete: auditability, uniform enforcement, and a single PR gate.

Aug 18, 20245 min read
DevSecOps

Gradle Build Cache Security Hardening

The Gradle build cache is a performance feature with supply chain consequences. Here is how to configure it so cache poisoning, stale outputs, and cross-project contamination do not become your next incident.

Jun 10, 20247 min read
Software Supply Chain Security

Gradle Plugin Security Risks: The Code That Runs Before Your Code

Gradle plugins execute during your build with full access to your environment. Most teams never audit them. Here is why that is dangerous.

Jan 8, 20244 min read
gradle — Safeguard Blog