gradle
Safeguard articles tagged "gradle" — guides, analysis, and best practices for software supply chain and application security.
14 articles
Generating CycloneDX and SPDX SBOMs from Java Projects with Maven and Gradle
CISA's 2025 draft update proposes four new fields on top of NTIA's minimum elements, from 7 to 11 — most Maven and Gradle-generated SBOMs still fail that bar.
Auditing and pinning transitive Java dependencies with Maven and Gradle
Maven resolves version conflicts by nearest path, not highest version — one new direct dependency can silently reintroduce a patched CVE.
Gradle Dependency Security: Locking, Verification, and Version Catalogs
Secure Gradle builds in 2026 with dependency locking, cryptographic dependency verification, version catalogs, and reachability-aware CVE scanning.
Securing mobile app dependencies: CocoaPods and Gradle
CocoaPods and Gradle power millions of mobile apps. See how orphaned pods, build-script RCE, and dependency confusion put them at real risk today.
Reachability Analysis for Java: A 2026 Deep Dive
Java reachability under classpath reality: reflection, Spring autowiring, shaded JARs, Log4Shell, and what modern tools actually resolve versus over-approximate.
Scanning Kotlin and Android projects with OWASP Dependenc...
A step-by-step guide to scanning Kotlin and Android projects with OWASP Dependency-Check: Gradle plugin setup, CI automation, triage, and suppressions.
Maven and Gradle dependency supply chain attacks in the J...
How attackers exploit Maven Central and the Gradle Plugin Portal — dependency confusion, malicious artifacts, and plugin takeovers — and how to defend Java builds.
How Snyk resolves Maven and Gradle dependency graphs incl...
Snyk doesn't parse pom.xml or build.gradle statically -- it invokes real Maven and Gradle tooling to compute the exact dependency graph your build produces.
Java Supply Chain Security Beyond Log4Shell
Log4Shell was the fire drill. The structural problems — unverified Maven resolution, invisible shaded jars, sprawling transitive graphs — are still there. Here's what to actually fix.
Gradle Version Catalogs Security
Gradle version catalogs centralise dependency versions in one file. The security payoff is concrete: auditability, uniform enforcement, and a single PR gate.
Gradle Build Cache Security Hardening
The Gradle build cache is a performance feature with supply chain consequences. Here is how to configure it so cache poisoning, stale outputs, and cross-project contamination do not become your next incident.
Gradle Plugin Security Risks: The Code That Runs Before Your Code
Gradle plugins execute during your build with full access to your environment. Most teams never audit them. Here is why that is dangerous.