Using Gradle integration
You can translate projects that are built with Gradle without any modification of the build.gradle file. When the build runs, OpenText SAST translates the source files as they are compiled. Alternatively, you can use the OpenText SAST Gradle Plugin to perform the analysis from within your Gradle build script (see Using the OpenText SAST Gradle Plugin).
See Build tools for platforms and languages supported specifically for Gradle integration. Any files in the project in unsupported languages for Gradle integration are not translated (with no error reporting). These files are therefore not analyzed, and any existing potential vulnerabilities can go undetected.
To integrate OpenText SAST into your Gradle build, make sure that the sourceanalyzer executable is included in the PATH environment variable. Always use the sourceanalyzer executable from the system PATH for all Gradle commands to build the project.
If you have multiple OpenText SAST installations, make sure that the version you want to use for your Gradle projects is defined before all other OpenText SAST versions included in the PATH environment variable.
Prepend the Gradle command line with the sourceanalyzer command as follows:
sourceanalyzer -b <build_id><sca_options> gradle [<gradle_options>] <gradle_tasks>Gradle integration examples
sourceanalyzer -b MyProject gradle clean build sourceanalyzer -b MyProject gradle --info assemble
If your build file name is different than build.gradle, then include the build file name with the --build-file option as shown in the following example:
sourceanalyzer -b MyProject gradle --build-file sample.gradle clean assemble
You can also use the Gradle Wrapper (gradlew) as shown in the following example:
sourceanalyzer -b MyProject gradlew [<gradle_options>]
Translate a project and exclude a file from the translation:
sourceanalyzer -b MyProject -exclude src\test\**\* gradlew build
If your application uses XML or property configuration files, translate these files with a separate sourceanalyzer command. Use the same build ID that you used for the project files. The following are examples:
sourceanalyzer -b MyProject <path_to_xml_files>sourceanalyzer -b MyProject <path_to_properties_files>
After OpenText SAST translates the project with gradle or gradlew, you can then perform the analysis phase and save the results in an FPR file as shown in the following example:
sourceanalyzer -b MyProject -scan -f MyResults.fpr
Including verbose and debug options
If you use the OpenText SAST-verbose option, then you must also include the -gradle option. Use of this option applies to both Gradle and the Gradle Wrapper. For example:
sourceanalyzer -b MyProject -gradle -verbose gradle assemble
As part of the gradle integration, OpenText SAST temporarily updates the original build file build.gradle. If you include the -debug option, OpenText SAST saves a copy of the original build file as build.gradle.orig). After the analysis with the -debug option is complete, rename the build.gradle.orig file back to build.gradle and run sourceanalyzer again without the -debug option.
See Also