However I realised the cause. The dependency scanner is using ‘maven’ I think, rather than our gradle definitions? This is despite a gradle build invocation being in .lift.toml
We started our gradle journey for > 500 maven projects about 18 months ago. In the last month or so we’ve switched to using gradle, but haven’t yet deleted the poms
We expect to delete them very soon (days/week) so this is likely a short term issue, but thought I’d check if there’s any configuration possible?
Hi Nigel, dependency scanning works by looking for the different types of manifests (pom.xml, go.mod, build.gradle, etc) that declare dependencies and processes those files. You can try configuring ignoreFiles in your lift toml to ignore those findings. I haven’t tested it myself and have some doubts since dependency scanning works slightly different than static code analysis. Or hopefully its just a short term issue. Either way I’ll make sure we take a look at this and come up with a better solution for the future.