An example on how to use the OWASP Dependency-Check maven plugin.
This example belongs to an article published in Java aktuell 01/2017:
Automatic checks for vulnerabilities in Java project dependencies.
The original article (🇩🇪) can be found here: Automatisierte Überprüfung von Sicherheitslücken in Abhängigkeiten von Java-Projekten.
This example contains the following
- a maven multi-module project creating a WAR
- a module containing a dependency with CVE, that is not contained in the WAR (module internal-module-with-vulnerability)
- a module containing a dependency with CVE, that is contained in the WAR (module published-module-with-vulnerability) but is considered to be a false positive and is suppressed in suppressed-cves.xml
- the final artifact (module war) that in turn contains dependencies with CVEs in
test,providedandcompilescopes.
To execute the OWASP dependency check, just call
mvn clean install org.owasp:dependency-check-maven:checkA report containing a CVE is generated to war/target/dependency-check-report.html.
The easiest way is to use this in Jenkins is the pipeline plugin (formerly known as workflow plugin). Tested with version 2.4. In Jenkins, do the following
- Install the OWASP Dependecy-Check Jenkins plugin (tested with version 1.4.3)
- Provide a maven tool called
M3.3'and a JDK calledJDK8u102, then - Setup a new pipeline job in jenkins and add your repository URL,
- Optionally add a build parameter
RECIPIENTSthat contains a comma-separated list of all email recipients, - Save and
- Build Now. You should get an email notifying about the unstable build due to the Security warning.
If you prefer to rely on the Jenkins GUI, setup the following maven command
mvn clean install org.owasp:dependency-check-maven:check -Ddependency-check-format=XMLfrom your Jenkins job and use the OWASP Dependecy-Check Jenkins plugin to analyze war/target/dependency-check-report.xml