|

OWASP Vulnerability Checks With Maven

ByAdmin

The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. OWASP issues and maintains several recommendations regarding how to write secure code.

One of the projects OWASP runs is the OWASP Dependency-Check. Lets integrate OWASP Dependency-Check in your Java/Maven project.

Introducing the dependency checker

Here’s the configuration I’m using in my pom.xml:

<project>
    <build>
        <plugins>
            <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>7.1.1</version>
                <configuration>
                    <cveValidForHours>12</cveValidForHours>
                    <failBuildOnCVSS>4</failBuildOnCVSS>
                </configuration>
                <executions>
                    <execution>
                        <goals>
                            <goal>check</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
</project>
To run a standalone dependency check:
mvn dependency-check:check

Report Integration

Integrating a dependency check report into the generated Maven site is also quite easy thanks to the examples. Here’s the relevant snippet of the pom.xml

<configuration>
    <reportPlugins>
        <plugin>
            <groupId>org.owasp</groupId>
            <artifactId>dependency-check-maven</artifactId>
            <version>7.1.1</version>
            <configuration>
                <name>Dependency Check</name>
            </configuration>
            <reportSets>
                <reportSet>
                    <reports>
                        <report>aggregate</report>
                    </reports>
                </reportSet>
            </reportSets>
        </plugin>
    </reportPlugins>
</configuration>

If you prefer to browse the detected vulnerabilities in your browser instead of the CLI, Dependency-Check creates an HTML report inside your target folder named dependency-check-report.html

Similar Posts

  • Sonarqube Analysis for Java Maven Project

    ByAdmin

    SonarQube (formerly Sonar) is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs. We will use the sonarqube docker image to run the sonarqube locally. Afterwards we will run the analysis on local maven java project. docker pull sonarqube:lts-community You…

  • OWASP Top 10

    ByAdmin

    The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all…

  • Spring Boot – JaCoCo Integration

    ByAdmin

    JaCoCo (Java Code Coverage) is a popular open-source toolkit for measuring and reporting code coverage in Java projects. When integrated with Spring Boot, it helps ensure your tests are effectively covering your application logic, improving reliability and maintainability. What is JaCoCo? JaCoCo is a free Java code coverage library distributed under the Eclipse Public License….