Add configuration for check of dep vulnerabilities listed in CVE regi…

…stry
SonarSource · Feb 14, 2015 · f7f1203 · f7f1203
1 parent 94c0194
commit f7f1203
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 0 deletions.
diff --git a/cve-false-positives.xml b/cve-false-positives.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression">
+  <suppress>
+    <notes><![CDATA[
+      file name: gson-2.3.1.jar
+      ]]></notes>
+    <sha1>ECB6E1F8E4B0E84C4B886C2F14A1500CAF309757</sha1>
+    <cpe>cpe:/a:google:v8:2.3.1</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: geronimo-spec-jta-1.0-M1.jar
+   ]]></notes>
+    <sha1>1F01F94B5B83C33950E22CDE224868407FDF8B99</sha1>
+    <cpe>cpe:/a:apache:geronimo:1.0.m1</cpe>
+  </suppress>
+</suppressions>
diff --git a/pom.xml b/pom.xml
@@ -288,6 +288,16 @@
           <artifactId>clirr-maven-plugin</artifactId>
           <version>2.6.1</version>
         </plugin>
+        <plugin>
+          <groupId>org.owasp</groupId>
+          <artifactId>dependency-check-maven</artifactId>
+          <version>1.2.8</version>
+          <configuration>
+            <failBuildOnCVSS>8</failBuildOnCVSS>
+            <suppressionFile>cve-false-positives.xml</suppressionFile>
+          </configuration>
+        </plugin>
+
       </plugins>
     </pluginManagement>
 
@@ -1502,13 +1512,38 @@
         </dependency>
       </dependencies>
     </profile>
+
     <profile>
       <!-- add microbenchmarks module to IDE -->
       <id>includeMicrobenchmarkModule</id>
       <modules>
         <module>microbenchmark-template</module>
       </modules>
     </profile>
+
+    <profile>
+      <!--
+      check if maven dependencies have vulnerabilities listed in CVE
+      Standalone command: mvn org.owasp:dependency-check-maven:check
+      See http://jeremylong.github.io/DependencyCheck
+      -->
+      <id>securityCheck</id>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-maven</artifactId>
+            <executions>
+              <execution>
+                <goals>
+                  <goal>check</goal>
+                </goals>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
   </profiles>
 
 </project>