Blackduck detect with Kotlin Gradle , exclude plugins and test related dependencies in scan results

Question

We are scanning a Kotlin gradle based project with Blackduck.

We can see a few licence related issues with our project but when we dig deeper it seems like they are coming from gradle plugins related to our build.

As the deployed artefacts don't include the plugin and their related dependencies we want to make sure we ignore them in the scan, but I fail to find how.

The environment

• Gradle 6.6.1
• Synopsys Detect for Jenkins: 3.1.0
• Detect Shell Script 2.5.1
• Detect jar 6.9.1

Command used

~/tools/Detect_Installation/detect.sh \
--blackduck.api.token=[api-token] \
--blackduck.trust.cert=false \
--blackduck.url=https://my-blackduck.com \
--logging.level.com.synopsys.integration=DEBUG \
--detect.blackduck.scan.mode=INTELLIGENT \
--detect.project.name=project-name \
--detect.project.version.name=project-branch \
--detect.project.version.distribution=EXTERNAL \
--detect.code.location.name=project-name/SSW-project-branch \
--detect.project.version.phase=DEVELOPMENT \
--detect.excluded.directories.defaults.disabled=false \
--detect.detector.search.exclusion.paths=gradle/plugins \
--detect.cleanup=false

Answer 1

I found the following in Synopsys documentations.

I guess the tricky part was to understand was that when it comes to Gradle they don't refer to test as scope like in maven. They refer to it as configurations.

Add the following flag:

--detect.gradle.excluded.configurations=checkstyle,testImplementation,testRuntimeOnly,testCompileClasspath,testCompileOnly,testRuntime,testRuntimeClasspath,testRuntimeOnly,testCompile

You can also use wildcards to make the list shorter. Just be carful it will not be too aggressive.

 --detect.gradle.excluded.configurations=checkstyle,jacoco*,test*

For more details see synopsys community

To get the list of configurations see How can I get a list of all configurations for a Gradle project?