Dependency tab using maven. should be gradle

I noticed our dependency analysis for GitHub - odpi/egeria: Egeria core was out of date.

For example Sonatype Lift -- Console

However I realised the cause. The dependency scanner is using ‘maven’ I think, rather than our gradle definitions? This is despite a gradle build invocation being in .lift.toml

We started our gradle journey for > 500 maven projects about 18 months ago. In the last month or so we’ve switched to using gradle, but haven’t yet deleted the poms

We expect to delete them very soon (days/week) so this is likely a short term issue, but thought I’d check if there’s any configuration possible?

Hi Nigel, dependency scanning works by looking for the different types of manifests (pom.xml, go.mod, build.gradle, etc) that declare dependencies and processes those files. You can try configuring ignoreFiles in your lift toml to ignore those findings. I haven’t tested it myself and have some doubts since dependency scanning works slightly different than static code analysis. Or hopefully its just a short term issue. Either way I’ll make sure we take a look at this and come up with a better solution for the future.

Update: After checking it should respect the ignoreFiles config option. If it doesn’t its a bug :slightly_smiling_face:

It respected ignore files for sure:

jdkVersion = "17"
build = "./gradlew -x test -x javadoc  build"
ignoreFiles = """

Resulting not finding any projects or dependencies …

I deleted the Pom.xml files in a PR and the scan works correctly … And in practical terms we’ll do this in the next few days anyway

I presume the build system is already inferred before the exclusions are applied