4

In my project I use dependency-check-maven to run OWASP verifications. Project contains several java modules and a front end module. Configuration in pom is basic one like this

<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <version>5.3.2</version>
    <configuration>
        <failBuildOnCVSS>4</failBuildOnCVSS>
        <suppressionFiles>
            <suppressionFile>owasp-suppressions.xml</suppressionFile>
        </suppressionFiles>
        <cveUrlBase>...</cveUrlBase>
        <cveUrlModified>...</cveUrlModified>
        <format>ALL</format>
        <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
        <cveValidForHours>24</cveValidForHours>
    </configuration>
</plugin>

Is it possible to configure the plugin such way that it ignores my front end module but analyses all other ones?

I try to run mvn -Dowasp.dependency-check.excludes=frontend-1.0.1-SNAPSHOT.jar org.owasp:dependency-check-maven:aggregate in the root folder of my project but verification is done in frontend as well

Vitalii
  • 10,091
  • 18
  • 83
  • 151

2 Answers2

1

I've the same issue to ignore some javascript modules to be analyzed by the dependency check.

As you can see at https://github.com/jeremylong/DependencyCheck/issues/1009 the developers have an open PR to resolve this request.

I've solved this by not building the javascript module:

mvn verify -pl '!frontend'

It's just a workaround to get the results of the dependency-check locally.

Maybe there exists better ideas?

cigien
  • 57,834
  • 11
  • 73
  • 112
André
  • 11
  • 1
1

Add the following to each submodule to be excluded:

      <plugin>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-maven</artifactId>
        <configuration>
          <skip>true</skip>
        </configuration>
      </plugin>
dspescha
  • 11
  • 1