OWASP Dependency-Check maven plugin

OWASP Dependency check is used to analyzing vulnerabilities in 3rd party libraries when we follow up the secure coding in software development.

In this blog-post, I am going to step out easy way to use the OWASP Dependency Check tool to check the vulnerabilities in your software by using OWASP Dependency-Check maven plugin. Otherwise user is required to download the external dependencies into a folder and to run the OWASP Dependency Check tool against to that folder. It is not the easy way.

Maven is a project management tool. It helps to manage builds. You can use OWASP Dependency Check maven plugin and easily analyze vulnerabilities in a project’s 3rd party libraries. Thus, no waste of time to configure and run the tool. It is just normal build with maven.

This is a example of maven dependency within pom.xml file. This can be added within the <build> tag.

If you include above dependency in pom.xml and build the project then, the dependency check report will be generated in the target directory.

Thus just run,

mvn clean install

Now I will give a brief introduction for the elements in the pom.

<execution> can be defined according to your purpose. <phase> and <goal> can be changed.

Configurations that should be done for the output report are within <configuration> element.

<format> : The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true.
My option is ALL. Thus this configuration will be generated all the formats, HTML, XML and VULN.
<outputDirectory> : This is where write the generated reports. Note, this is not used if generating the report as part of a mvn site build. Default folder is ‘target’ (${project.build.directory}). It can be changed. S you can give your own folder path.
<suppressionFile> : The file path to the XML suppression file — used to suppress false positives. Thus in any case you find a false positive issue in your software you can add that in to this suppression file. Then final report will not be included that issue.

Example suppressions file.

<hintsFile> : The file path to the XML hints file used to resolve false negatives.

These are the main configuration that should be given. The final generate report will be like following.

OWASP Dependency Check Report