One of the OWASP guidelines for secure applications is to not use components with known vulnerabilities. Unfortunately it can be a very difficult and time consuming task to keep up with these manually, automation can save you countless hours!
NOTE: OWASP dependency scanner can be used in conjunction with the victims-enforcer.
Add to your projects pom.xml:
Each time you build, the plug-in will verify the assets against the list of known vulnerable libraries and report them in your output.
Vulnerability database is populated from: https://nvd.nist.gov.
- The example above is a very simple implementation, see the documentation for additional functions.
- The first use of the plug-in can take a long time as the vulnerability library must be installed locally before initial use.
- Similar functionality is available for Ant builds, if desired.