Wednesday, March 18, 2015

Checking Framework Vulnerabilities Using Maven Plugin

Chances are your application depends on certain open source libraries. Typically these libraries are not updated frequently for different reasons stability et al. However, it makes sense to be notified of security issues in our dependencies so that one can take corrective action. 

Would it not be so good if our build fails when a new vulnerability is discovered in one or more of our dependencies.. Enter Mavendependency check plugin which identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. 

How to use

<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>1.2.9</version>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
 
It is recommended to read the associated document to understand the working of this plugin.

Performance Note: First time execution may take longer but all future checks should take only few seconds if executed once in few days.

No comments: