9 Mayıs 2023 Salı

dependency-check plugin - Vulnerabilities In Project’s dependencies

Giriş
Açıklaması şöyle
The Dependency-Check Maven plugin is an excellent tool for identifying and reporting any known vulnerabilities in your project’s dependencies. 
Eklenti CVE yani Common Vulnerabilities and Exposures veya daha uzun ismiyle National Vulnerability Database Common Vulnerability Enumeration dosyalarını indirir.

goals
check
aggregate

check goal
Çalıştırmak için şöyle yaparız
mvn clean install
Eklentiyi direkt çalıştırmak için şöyle yaparız
mvn dependency-check:check
aggregate goal
Açıklaması şöyle
We have a multi-module maven application, so we need to run aggregate command to get a report for all modules
Şöyle yaparız
mvn dependency-check:aggregate -P owasp-dependency-check
Örnek
Şöyle yaparız
<plugin>
  <groupId>org.owasp</groupId>
  <artifactId>dependency-check-maven</artifactId>
  <version>8.2.1</version>
  <executions>
    <execution>
      <goals>
        <goal>check</goal>
      </goals>
    </execution>
  </executions>
</plugin>
failBuildOnCVSS  Alanı
Açıklaması şöyle
failBuildOnCVSS — a threshold after with maven command ends with failure.
suppressionFile — path to a file with suppression rules.
dataDirectory — path to a directory with vulnerabilities database.
Şöyle yaparız
<profiles>
  <profile>
    <id>owasp-dependency-check</id>
    <build>
      <plugins>
        <plugin>
          <groupId>org.owasp</groupId>
          <artifactId>dependency-check-maven</artifactId>
          <version>${dependency-check-maven.version}</version>
          <inherited>false</inherited>
          <configuration>
            <format>ALL</format>
            <failBuildOnCVSS>7.0</failBuildOnCVSS>
            <suppressionFile>suppressions.xml</suppressionFile>
            <dataDirectory>${cve.database.dir}</dataDirectory>
          </configuration>
          <executions>
            <execution>
              <goals>
                <goal>aggregate</goal>
              </goals>
            </execution>
          </executions>
        </plugin>
      </plugins>
    </build>
  </profile>
</profiles>
Supressions Dosyası
Şöyle yaparız
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <suppress>
        <notes><![CDATA[
        False positive. https://github.com/jeremylong/DependencyCheck/issues/5233
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
        <cpe>cpe:/a:yaml_project:yaml</cpe>
    </suppress>
</suppressions>
veya şöyle yaparız
<vulnerabilityName>CVE-2021–4235</vulnerabilityName>

Hiç yorum yok:

Yorum Gönder

Local Snapshot Kullanmak

Örnek Şöyle yaparız <repository> <id>snapshot-repository</id> <name>Maven2 Snapshot Repository</name> &l...