Skip to content

kalandharsulthan/JavaCVMScanReport

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
scripts
scripts
 
 
src
src
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
pom.xml
pom.xml
 
 
suppression.xml
suppression.xml
 
 

Repository files navigation

Todo API — Spring Boot with OWASP CVE Scanning

A Java 17 Spring Boot REST API for managing to-do items, with integrated OWASP Dependency-Check for weekly CVE vulnerability scanning of all third-party JARs.

Prerequisites

Tool Minimum Version Check
Java 17 java -version
Maven 3.6+ mvn -version
NVD API key Register free
jq (optional) any brew install jq
Trivy (optional) any brew install trivy

Quick Start — Run the Application

mvn spring-boot:run
  • API base URL: http://localhost:8080/api/v1/todos
  • Swagger UI: http://localhost:8080/swagger-ui.html
  • H2 Console: http://localhost:8080/h2-console (JDBC URL: jdbc:h2:mem:tododb, user: sa, no password)

API Endpoints

Method Path Description Status
GET /api/v1/todos List all todos 200
GET /api/v1/todos?completed=true Filter by completion status 200
POST /api/v1/todos Create a todo 201 + Location header
GET /api/v1/todos/{id} Get todo by ID 200 / 404
PUT /api/v1/todos/{id} Update todo 200
DELETE /api/v1/todos/{id} Delete todo 204
GET /api/v1/todos/health Health check 200

Request Body (POST / PUT)

{
  "title": "Buy groceries",
  "description": "Milk, eggs, bread",
  "completed": false,
  "priority": 1
}

Priority values: 0 = LOW, 1 = MEDIUM, 2 = HIGH

CVE Vulnerability Scanning

Step 1 — Get a Free NVD API Key

  1. Go to: https://nvd.nist.gov/developers/request-an-api-key
  2. Enter your email and submit
  3. Click the activation link in the email you receive (arrives within minutes)
  4. Copy the UUID-format key
# Add to your shell profile for persistence
echo 'export NVD_API_KEY="paste-your-key-here"' >> ~/.zshrc
source ~/.zshrc

Step 2 — Run the Scan

chmod +x scripts/weekly-scan.sh
./scripts/weekly-scan.sh

Or directly via Maven:

mvn dependency-check:check

Step 3 — View the Report

open target/dependency-check-report/dependency-check-report.html

First-Time NVD Database Download

The very first scan downloads the full NVD CVE database. Expected times:

API Key Est. Time
No key (unauthenticated) 3–8 hours
Free NVD API key 20–40 minutes

The database is cached at ~/.owasp/dependency-check-data/. Do not delete this directory between scans — subsequent weekly runs download only delta updates (1–5 minutes).

Understanding the HTML Report

The report is at target/dependency-check-report/dependency-check-report.html.

Column Description
Dependency JAR name and Maven coordinates
CVE CVE ID (click to open NVD entry)
Severity CRITICAL / HIGH / MEDIUM / LOW based on CVSS v3
CVSS v3 Score 0.0–10.0 scale
CWE Weakness category (e.g. CWE-22 Path Traversal)
Fixed Version Version where this CVE is resolved (when known)

Remediation Workflow

For each HIGH or CRITICAL finding:

  1. Note the Fixed Version column
  2. If a fix version exists, update the dependency in pom.xml
  3. For BOM-managed versions (Spring Boot manages most), either upgrade the Spring Boot parent version or override via <properties>, e.g.: 
    <h2.version>2.3.232</h2.version>
  4. Re-run the scan to confirm the CVE is resolved

Suppressing False Positives

Edit suppression.xml to document and suppress findings that do not apply to this deployment:

<suppress until="2026-12-31Z">
    <notes>CVE-2022-45868: H2 console JNDI attack vector.
    H2 console is disabled in production (spring.h2.console.enabled=false).
    Reviewed by: [your name] on [date]</notes>
    <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
    <cve>CVE-2022-45868</cve>
</suppress>

Always document why the CVE was suppressed and set an expiry date for periodic review.

Scheduling Weekly Scans

macOS / Linux cron

crontab -e

Add this line (runs every Monday at 02:00):

0 2 * * 1 NVD_API_KEY="your-key" /Users/kalandhar/Documents/KALANDHAR/AI_WORKBENCH_2026/JAVA/JavaCVMScanReport/scripts/weekly-scan.sh >> ~/.owasp/cron-scan.log 2>&1

Scan and fail build on HIGH+ findings (for CI)

./scripts/weekly-scan.sh --fail-on-cvss 7

Run with Trivy as second-opinion scanner

./scripts/weekly-scan.sh --trivy

Maven Goals Reference

# Scan only (no tests)
mvn dependency-check:check

# Scan + tests
mvn verify

# Scan without ever failing the build
mvn dependency-check:check -DfailBuildOnCVSS=11

# Fail build if any HIGH (7.0+) or CRITICAL found
mvn dependency-check:check -DfailBuildOnCVSS=7

# Refresh NVD database without scanning
mvn dependency-check:update-only

# Delete cached NVD database (forces full re-download next run)
mvn dependency-check:purge

Running Tests

mvn clean test

Project Structure

JavaCVMScanReport/
├── pom.xml                          # Spring Boot + OWASP Dependency-Check plugin
├── suppression.xml                  # CVE false-positive suppressions
├── scripts/
│   └── weekly-scan.sh               # Weekly scan automation script
└── src/
    ├── main/java/com/kalandhar/todo/
    │   ├── TodoApplication.java
    │   ├── controller/TodoController.java
    │   ├── service/TodoService.java
    │   ├── domain/TodoItem.java
    │   ├── repository/TodoRepository.java
    │   ├── dto/{TodoRequest,TodoResponse}.java
    │   └── exception/{TodoNotFoundException,GlobalExceptionHandler}.java
    ├── main/resources/application.yml
    └── test/java/com/kalandhar/todo/
        ├── TodoApplicationTests.java
        ├── controller/TodoControllerTest.java
        └── service/TodoServiceTest.java

About

JavaCVMScanReport

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages