How to configure Maven OWASP Dependency-Check plugin

How to configure Maven OWASP Dependency-Check plugin

Security is one of the most important aspects of software development. Security issues are getting more critical day by day. And that is because more data is generated, processed, and stored by different applications. Data is the new oil! To keep any application safe, it is necessary to detect any security vulnerabilities as early as possible. And check the application constantly for any security issues. Obviously, Java projects are no exceptions in this matter. In this article, we discuss how to configure the Maven OWASP Dependency-Check plugin to identify any security issues on third-party libraries used in an application.

What’s OWASP Dependency-Check plugin

OWASP Dependency-Check is a Maven plugin that is built on top of OWASP Dependency-Check. Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. It supports multiple languages including Node.js, Python, etc. More details about OWASP Dependency-Check, here.

The Dependency-Check plugin helps developers to constantly run security scans on their projects in any phase of the build process. Hence, it is beneficial to trigger dependencies scan in the CI/CD pipeline.

Configuring OWASP Dependency-Check Maven plugin

Configuration of the Dependency-Check plugin is rather straightforward. First, we need to add the dependency to the pom.xml file as usual,

<dependencies>
  <dependency>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <version>8.2.1</version>
    <type>maven-plugin</type>
  </dependency>
</dependencies>

Then we should configure the plugin. The default configuration looks something like this,

<build>
  <plugins>
    <plugin>
      <groupId>org.owasp</groupId>
      <artifactId>dependency-check-maven</artifactId>
      <version>8.2.1</version>
      <executions>
        <execution>
          <goals>
            <goal>check</goal>
          </goals>
        </execution>
      </executions>
    </plugin>
  </plugins>
</build>

Lastly, we can try it out by running the check goal,

$ mvn org.owasp:dependency-check-maven:check

Note that the default configuration runs on the maven verify cycle. For instance, if you execute mvn clean verify the Dependency-Check plugin will run after all tests.

The plugin also generates an HTML report under target/dependency-check-report.html.

If you are happy with the default configuration no additional action is required. However, if you want to configure the plugin further have a look at this page.

We highly recommend configuring these two options. One is failBuildOnAnyVulnerability that if enabled, fails the build process on any vulnerability detected. Another is failBuildOnCVSS which can be instructed to fail the build process if the severity of the vulnerability exceeds the set threshold.

Sample configuration,

<build>
  <plugins>
    <plugin>
      <groupId>org.owasp</groupId>
      <artifactId>dependency-check-maven</artifactId>
      <version>5.2.4</version>
      <configuration>
        <failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
        <failBuildOnCVSS>5</failBuildOnCVSS>
      </configuration>
      <executions>
        <execution>
          <goals>
            <goal>check</goal>
          </goals>
        </execution>
      </executions>
    </plugin>
  </plugins>
</build>

How to fix the detected vulnerability

When a vulnerability is detected, the best approach to fix is to upgrade the faulty dependency to the latest version. If the library is unmaintained, consider finding a replacement.

It is not always easy to upgrade a project dependency as the plugin scans the dependencies of dependencies as well. Hence, if one of the dependencies of your project dependency has a vulnerability, you need to find it and fix the issue. In such a case, it makes sense to generate the dependency tree of the project in which the mvn dependency:tree command comes handy.

The security vulnerability fix varies from library to library. For instance, to patch the Log4Shell CVE-2021-44228 vulnerability, one can use an agent, or even manually fix the issue by removing some classes or setting a configuration to disable a part of the functionality.

Conclusion

In this article, we discussed how to configure the Maven OWASP Dependency-Check plugin to scan a project for security vulnerabilities in dependencies. It’s recommended to integrate the plugin in your project CI/CD pipeline and configure the build in such a way as to fail if any severe vulnerability is discovered.

We have applied the Dependency-Check plugin to our Eris weather API. You can see the implementation details here on GitHub, this commit.

Inline/featured images credits