Identify security issues in dependencies
OWASP Dependency check
We use OWASP Dependency check Maven plugin that lists issues with Maven dependencies.
./mvnw org.owasp:dependency-check-maven:check -DcveValidForHours=12
- Provide the full namespace
org.owasp:otherwise on some projects the goal may not be found.
cveValidForHoursdefines in hours when to re-download all the CVE database (which is a long operation). Default value is 4 hours, we increase it to 12.
The Maven plugin generates, for each Maven project, a file
target/dependency-check-report.html presenting all the
Methodology to upgrade dependencies
- For a given Maven project (e.g.
- from the
- for a given dependency with security issue,
- follow these steps:
- Search the considered dependency in the
pom.xmlof the project
- If it is present:
- Upgrade it with the help of https://mvnrepository.com/
- Build with command line:
./mvnw $MAVEN_CLI_OPTS validate clean install -Dmaven.test.skip=true && ./mvnw $MAVEN_CLI_OPTS test
- Run an audit on the Web-app project
- Run an audit on the Server project
- If it is not present:
- This is a transitive dependency, i.e. brought by another dependency.
- That upper dependency should be treated first.
- Repeat for each dependency
- Dependency check documentation (Important to read as many concepts are laid down.)
- Dependency check Maven plugin: documentation
- Dependency check Maven plugin: goals and configuration