# `MobDev.SecurityScan.Layers.GradleDeps`
[🔗](https://github.com/genericjam/mob_dev/blob/master/lib/mob_dev/security_scan/layers/gradle_deps.ex#L1)

Audits Android dependencies via `osv-scanner` recursively over
the `android/` directory.

## What gets scanned

`osv-scanner` understands these Android-relevant manifests:

  * `gradle.lockfile` — the result of Gradle's [dependency locking][1].
    Captures the exact transitive dep tree.
  * `buildscript-gradle.lockfile` — same idea, for buildscript classpath.
  * `pom.xml` — Maven, occasionally appears in Gradle projects.

Mob's Android template does NOT enable dependency locking by default,
so a fresh `mix mob.new` app will report `:not_applicable` for this
layer until the user opts in. The layer's notes spell out the
remediation.

## Enabling Gradle dependency locking

    // android/build.gradle
    allprojects {
      configurations.all {
        resolutionStrategy.activateDependencyLocking()
      }
    }

    // android/app/build.gradle
    dependencyLocking {
      lockAllConfigurations()
    }

Then `cd android && ./gradlew :app:dependencies --write-locks`
creates `gradle.lockfile`.

[1]: https://docs.gradle.org/current/userguide/dependency_locking.html

---

*Consult [api-reference.md](api-reference.md) for complete listing*