From 5a2239664c0843af9328504723a9f49248c305be Mon Sep 17 00:00:00 2001 From: Mike Jumper Date: Mon, 10 Jul 2023 08:42:14 -0700 Subject: [PATCH] GUACAMOLE-1807: Automatically check dependencies for updates and CVEs if "checkDependencies" is set to "true". This can be done as part of the build: mvn -DcheckDependencies=true package or separate from the build as a manual check: mvn -DcheckDependencies=true validate Beware false positives and false negatives. Not all updates will necessarily be caught be this, nor will all CVEs apply. The CVE matching used is often a bit too fuzzy for its own good, but it gives an excellent starting point for further manual checking. The dependency update check will write each project's report to: .../target/dependency-update-report.txt and the CVE check will write each project's report to: .../target/dependency-check-report.html The relevant plugins WILL NOT genearte top-level, aggregate report. --- pom.xml | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 92 insertions(+) diff --git a/pom.xml b/pom.xml index 1b8ec029f..4dece7ecf 100644 --- a/pom.xml +++ b/pom.xml @@ -57,6 +57,13 @@ or missing license headers). --> false + + false + @@ -475,6 +482,91 @@ + + + check-dependencies + + + checkDependencies + true + + + + + + + + org.codehaus.mojo + versions-maven-plugin + 2.16.0 + + false + *:*:*:*:*:provided,*:*:*:*:*:system + ${project.build.directory}/dependency-update-report.txt + + + + regex + (.+-SNAPSHOT|.+-(M|RC)\d+) + + + regex + .+-(alpha|beta)\b.*? + + + + + ch.qos.logback + logback-classic + + + regex + 1\.4\..+ + + + + + + + + + check-dependency-updates + validate + + display-dependency-updates + + + + + + + + org.owasp + dependency-check-maven + 8.3.1 + + true + true + true + /-/npm/v1/security/advisories/bulk + + + + check-dependency-updates + validate + + check + + + + + + + + +