safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 13:17:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUACAMOLE-1807: Automatically check dependencies for updates and CVEs if "checkDependencies" is set to "true".

Browse Source 
This can be done as part of the build:

    mvn -DcheckDependencies=true package

or separate from the build as a manual check:

    mvn -DcheckDependencies=true validate

Beware false positives and false negatives. Not all updates will
necessarily be caught be this, nor will all CVEs apply. The CVE matching
used is often a bit too fuzzy for its own good, but it gives an
excellent starting point for further manual checking.

The dependency update check will write each project's report to:

   .../target/dependency-update-report.txt

and the CVE check will write each project's report to:

   .../target/dependency-check-report.html

The relevant plugins WILL NOT genearte top-level, aggregate report.
This commit is contained in:
Mike Jumper
2023-07-10 08:42:14 -07:00
parent 7e236daf2f
commit 5a2239664c
1 changed files with 92 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

92
pom.xml
View File

@@ -57,6 +57,13 @@
or missing license headers). -->
<ignoreLicenseErrors>false</ignoreLicenseErrors>
<!-- Set to "true" to perform automated checks for available dependency
updates, including whether the declared versions of any
dependencies have associated CVEs in NVD. Beware that both checks
may produce false positives and false negatives. Updates need to be
checked for compatibility and any changes in license information. -->
<checkDependencies>false</checkDependencies>
</properties>
<modules>
@@ -475,6 +482,91 @@
</build>
</profile>
<!-- Perform automated dependency checks if "checkDependencies" is set to "true" -->
<profile>
<id>check-dependencies</id>
<activation>
<property>
<name>checkDependencies</name>
<value>true</value>
</property>
</activation>
<build>
<plugins>
<!-- Checks for availability of likely-compatibile updates to
dependencies -->
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>2.16.0</version>
<configuration>
<allowMajorUpdates>false</allowMajorUpdates>
<dependencyExcludes>*:*:*:*:*:provided,*:*:*:*:*:system</dependencyExcludes>
<outputFile>${project.build.directory}/dependency-update-report.txt</outputFile>
<ruleSet>
<ignoreVersions>
<ignoreVersion>
<type>regex</type>
<version>(.+-SNAPSHOT|.+-(M|RC)\d+)</version>
</ignoreVersion>
<ignoreVersion>
<type>regex</type>
<version>.+-(alpha|beta)\b.*?</version>
</ignoreVersion>
</ignoreVersions>
<rules>
<rule>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<ignoreVersions>
<ignoreVersion>
<type>regex</type>
<version>1\.4\..+</version>
</ignoreVersion>
</ignoreVersions>
</rule>
</rules>
</ruleSet>
</configuration>
<executions>
<execution>
<id>check-dependency-updates</id>
<phase>validate</phase>
<goals>
<goal>display-dependency-updates</goal>
</goals>
</execution>
</executions>
</plugin>
<!-- Checks for possible known CVEs against dependencies
NOTE: This WILL produce false positives!!! -->
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>8.3.1</version>
<configuration>
<skipProvidedScope>true</skipProvidedScope>
<skipSystemScope>true</skipSystemScope>
<skipTestScope>true</skipTestScope>
<nodeAuditAnalyzerUrl>/-/npm/v1/security/advisories/bulk</nodeAuditAnalyzerUrl>
</configuration>
<executions>
<execution>
<id>check-dependency-updates</id>
<phase>validate</phase>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>
</project>