One of the OWASP guidelines for secure applications is to not use components with known vulnerabilities. Unfortunately it can be a very difficult and time consuming task to keep up with these manually, automation can save you countless hours!
See https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities.
NOTE: OWASP dependency scanner can be used in conjunction with the victims-enforcer.
Add to your projects pom.xml:
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>1.3.4</version>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
Each time you build, the plug-in will verify the assets against the list of known vulnerable libraries and report them in your output.
Vulnerability database is populated from: https://nvd.nist.gov.
NOTES:
- The example above is a very simple implementation, see the documentation for additional functions.
- The first use of the plug-in can take a long time as the vulnerability library must be installed locally before initial use.
- Similar functionality is available for Ant builds, if desired.
REFERENCES: