Audits Android dependencies via osv-scanner recursively over
the android/ directory.
What gets scanned
osv-scanner understands these Android-relevant manifests:
gradle.lockfile— the result of Gradle's dependency locking. Captures the exact transitive dep tree.buildscript-gradle.lockfile— same idea, for buildscript classpath.pom.xml— Maven, occasionally appears in Gradle projects.
Mob's Android template does NOT enable dependency locking by default,
so a fresh mix mob.new app will report :not_applicable for this
layer until the user opts in. The layer's notes spell out the
remediation.
Enabling Gradle dependency locking
// android/build.gradle
allprojects {
configurations.all {
resolutionStrategy.activateDependencyLocking()
}
}
// android/app/build.gradle
dependencyLocking {
lockAllConfigurations()
}Then cd android && ./gradlew :app:dependencies --write-locks
creates gradle.lockfile.