foreword
Today I recommend a code dependency package vulnerability check maven plugin --dependency-check-maven. Through this plug-in, you can scan whether the project depends on the existing security vulnerability package
how to use
Preconditions : The plugin requires maven 3.1 or higher
1. Introduce the dependency-check-maven plugin GAV into the project pom
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>7.0.0</version>
<configuration>
<autoUpdate>true</autoUpdate>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>2. Switch to the target directory of the project and execute mvn dependency-check:check
Note: If it is an idea, it can be directly as follows, right-click to run
The first time it is executed, it will be quite slow because it needs to download vulnerability data from the National Vulnerability Database hosted by NIST to a local backup repository.
During execution, there may be
Failed to initialize the RetireJS reposolution
Download jsrepository.json and put the file in the maven private warehouse address\org\owasp\dependency-check-data\7.0 directory
After execution, the dependency-check-report.html file will be generated in the target directory
3. Open dependency-check-report.html through a browser
Click the corresponding link information to view the corresponding vulnerability description
Summarize
This article briefly introduces how to use the dependency-check-maven plugin to check the security vulnerabilities of code dependencies. For detailed usage, please refer to the following link
https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html
demo link
https://github.com/lyb-geek/springboot-learning/tree/master/springboot-git-commit
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。