The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. OWASP issues and maintains several recommendations regarding how to write secure code.
One of the projects OWASP runs is the OWASP Dependency-Check. Lets integrate OWASP Dependency-Check in your Java/Maven project.
Introducing the dependency checker
Here’s the configuration I’m using in my pom.xml:
<project>
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>7.1.1</version>
<configuration>
<cveValidForHours>12</cveValidForHours>
<failBuildOnCVSS>4</failBuildOnCVSS>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>To run a standalone dependency check:
mvn dependency-check:check
Report Integration
Integrating a dependency check report into the generated Maven site is also quite easy thanks to the examples. Here’s the relevant snippet of the pom.xml
<configuration>
<reportPlugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>7.1.1</version>
<configuration>
<name>Dependency Check</name>
</configuration>
<reportSets>
<reportSet>
<reports>
<report>aggregate</report>
</reports>
</reportSet>
</reportSets>
</plugin>
</reportPlugins>
</configuration>If you prefer to browse the detected vulnerabilities in your browser instead of the CLI, Dependency-Check creates an HTML report inside your target folder named dependency-check-report.html
OWASP Vulnerability Checks With Maven
