Identify security issues in dependencies
OWASP Dependency check
We use OWASP Dependency check Maven plugin that lists issues with Maven dependencies.
Usage:
./mvnw org.owasp:dependency-check-maven:check -DcveValidForHours=12
- Provide the full namespace
org.owasp:otherwise on some projects the goal may not be found. cveValidForHoursdefines in hours when to re-download all the CVE database (which is a long operation). Default value is 4 hours, we increase it to 12.
The Maven plugin generates, for each Maven project, a file target/dependency-check-report.html presenting all the
security issues.
Methodology to upgrade dependencies
- For a given Maven project (e.g.
web-app/asqatasun-web-app/), - from the
target/dependency-check-report.htmlreport, - for a given dependency with security issue,
- follow these steps:
- Search the considered dependency in the
pom.xmlof the project - If it is present:
- Upgrade it with the help of https://mvnrepository.com/
- Build with command line:
./mvnw $MAVEN_CLI_OPTS validate clean install -Dmaven.test.skip=true && ./mvnw $MAVEN_CLI_OPTS test - Run an audit on the Web-app project
- Run an audit on the Server project
- If it is not present:
- This is a transitive dependency, i.e. brought by another dependency.
- That upper dependency should be treated first.
- Repeat for each dependency
Resources
- Dependency check documentation (Important to read as many concepts are laid down.)
- Dependency check Maven plugin: documentation
- Dependency check Maven plugin: goals and configuration