detecting gradle transitive dependencies
I've been working on updating riot-android, which integrates a new version of the jitsi-sdk (https://github.com/jitsi/jitsi-meet/issues/4106)
The recommended way of including the jitsi-sdk is via their own maven repo and then including:
implementation ('org.jitsi.react:jitsi-meet-sdk:2.+') { transitive = true }
in the app's build.gradle file.
Now we can't use their maven repo, but even if that was not a blocker here, the sdk transitively includes gms dependencies via some react-native module. (See the linked issue for details.)
As I see it we can;t actually detect this currently, and as the google() repo has to be whitelisted any app can just silently pull in all of the play services via a transitive dependency without triggering our scanner :-(.
Any ideas what to do?