Ctrl+K

Owasp Dependency-Check - Versions maven plugin

Owasp Dependency-Check - Versions maven plugin#

Since version 1.24 you have some reporting tools for maven dependencies and plugins.

Owasp Dependency-Check#

Owasp Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities.

Its maven profile is defined in both pom.xml and igloo/igloo-parents/igloo-parent-maven-configuration-common/pom.xml.

To run the dependency-check, use the option owasp.enabled. For example you can launch :

mvn -Dowasp.enabled=true -U -DskipTests clean install site:site -DnvdApiKey=XXXXXXXXX

NVD API Key can be created on https://nvd.nist.gov/developers/request-an-api-key.

After running your command, you can read the report in project-name/target/site/dependency-check-report.html.

The dependency check may sometimes identify irrelevants vulnerabilities. To suppress them, copy the xml generated in the report, and add it in both files owasp-suppressions.xml.

If targetted project pom does not inherit igloo-maven, like spring-boot-starter modules, you can invoke dependency checker with the alternate command:

Versions maven plugin#

The versions maven plugin is used when you want to manage the versions of artifacts in a project’s POM. We use it exclusively for its reporting goals.

Its maven profile is defined in both pom.xml and igloo/igloo-parents/igloo-parent-maven-configuration-common/pom.xml.

To run the versions maven plugin, use the option update-report.enabled. For example you can launch :

mvn -Dupdate-report.enabled=true -U -DskipTests clean install site:site && mvn -Dupdate-report.enabled=true site:stage

When the command has ended (it can take a while), you can find the reports in project-name/target/site/index.html.

Contents