Software development projects usually come with lots of dependencies and keeping them up to date can be burdensome if done manually. Fortunately, there are tools to help you. For Node.js projects, there are e.g. npm-check and npm-check-updates and for Maven projects there are OWASP/Dependency-Check and Versions Maven plugins. Here’s a short introduction on how to set up your Maven project to automatically check dependencies for vulnerabilities and if there are outdated dependencies.
OWASP/Dependency-Check
OWASP dependency-check is an open source solution the OWASP Top 10 2013 entry: “A9 – Using Components with Known Vulnerabilities”.
A dependency-check can currently be used to scan Java and .NET applications to identify the use of known vulnerable components. The dependency-check plugin is, by default, tied to the verify or site phase depending on if it is configured as a build or reporting plugin.
The example below is executed in the build’s verify phase and can be run using mvn verify:
<project>
...
<build>
...
<plugins>
...
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>5.0.0-M3</version>
<configuration>
<failBuildOnCVSS>8</failBuildOnCVSS>
<skipProvidedScope>true</skipProvidedScope>
<skipRuntimeScope>true</skipRuntimeScope>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
...
</plugins>
...
</build>
...
</project>
The example fails the build for CVSS greater than or equal to 8 and skips scanning the provided and runtime scoped dependencies.
Versions Maven Plugin
The Versions Maven Plugin is the de facto standard way to manage versions of artefacts in a project’s POM. From high-level comparisons between remote repositories up to low-level timestamp-locking for SNAPSHOT versions, its massive list of goals allows us to take care of every aspect of our projects involving dependencies.
The example configuration of versions-maven-plugin:
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>2.7</version>
<configuration>
<allowAnyUpdates>false</allowAnyUpdates>
<allowMajorUpdates>false</allowMajorUpdates>
<allowMinorUpdates>false</allowMinorUpdates>
<processDependencyManagement>false</processDependencyManagement>
</configuration>
</plugin>
You could use goals that modify the pom.xml as described in the usage documentation but often it’s easier to check versions manually as you might not be able to update all of the suggested dependencies.
The display-dependency-updates goal will check all the dependencies used in your project and display a list of those dependencies with newer versions available.
Check new dependencies with:
mvn versions:display-dependency-updates
Check new plugin versions with:
mvn versions:display-plugin-updates
Summary
Using OWASP/Dependency-Check in your Continuous Integration build flow to automatically check dependencies for vulnerabilities and running periodically Versions Maven Plugin to check if there are outdated dependencies helps you to keep your project up to date and secure. Small but important things to remember while developing and maintaining a software project.
