OWASP Dependency Check
OWASP dependency-check is an open source solution that can be used to scan Java and .NET applications to identify the use of known vulnerable components.
Adding OWASP Check to Gradle Projects
Adding following fragments to build.gradle
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath 'org.owasp:dependency-check-gradle:5.2.2'
}
}
plugins {
id 'org.owasp.dependencycheck' version '5.2.2'
}
Gradle Task
./gradlew dependencyCheckAggregate
Configuring DependencyCheck
dependencyCheck {
format='ALL'
cveValidForHours=1
outputDirectory = file("$project.buildDir/reports/dependencycheck")
suppressionFile = 'config/dependencyCheck/suppressions.xml'
failBuildOnCVSS = 5
failOnError = true
}
Sample Suppressions.xml
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<suppress>
<notes><![CDATA[file name: postgresql-42.2.5.jar]]></notes>
<gav regex="true">^org\.postgresql:postgresql:.*$</gav>
<cve>CVE-2016-7048</cve>
</suppress>
</suppressions>