Skip to content

Commit

Permalink
Add a dependency-check profile
Browse files Browse the repository at this point in the history
  • Loading branch information
sberyozkin committed Jan 6, 2023
1 parent 6014d34 commit cc2abf2
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 2 deletions.
5 changes: 5 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ fixes, documentation, examples... But first, read this page (including the small
* [Extensions](#extensions)
+ [Descriptions](#descriptions)
+ [Update dependencies to extensions](#update-dependencies-to-extensions)
+ [Check security vulnerabilities](#check-security-vulnerabilities)
* [The small print](#the-small-print)
* [Frequently Asked Questions](#frequently-asked-questions)

Expand Down Expand Up @@ -694,6 +695,10 @@ were changed by the script.
When removing an extension make sure to also remove all dependencies to it from all `pom.xml`. It's easy to miss this as
long as the extension artifact is still present in your local Maven repository.

### Check security vulnerabilities

When adding a new extension or updating the existing one it is recommended to run [OWASP Dependency Check](https://jeremylong.github.io/DependencyCheck) with `mvn -Powasp-check` so that known security vulnerabilities in the extension dependencies can be detected early.

## The small print

This project is an open source project, please act responsibly, be nice, polite and enjoy!
Expand Down
18 changes: 17 additions & 1 deletion build-parent/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,7 @@

<!-- google cloud functions invoker-->
<gcf-invoker.version>1.1.1</gcf-invoker.version>
<owasp-dependency-check-plugin.version>7.4.3</owasp-dependency-check-plugin.version>
</properties>

<dependencyManagement>
Expand Down Expand Up @@ -719,6 +720,11 @@
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${owasp-dependency-check-plugin.version}</version>
</plugin>
</plugins>
</pluginManagement>
</build>
Expand Down Expand Up @@ -1235,7 +1241,17 @@
</plugins>
</build>
</profile>

<profile>
<id>owasp-check</id>
<activation>
<property>
<name>owasp-check</name>
</property>
</activation>
<build>
<defaultGoal>dependency-check:check</defaultGoal>
</build>
</profile>
<profile>
<id>Windows</id>
<activation>
Expand Down
2 changes: 1 addition & 1 deletion docs/src/main/asciidoc/security-overview-concept.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -344,7 +344,7 @@ To add the OWASP Dependency check plugin to your Quarkus Maven project, add the

[IMPORTANT]
====
Set the `owasp-dependency-check-plugin.version` value to `7.1.1` or later.
Set the `owasp-dependency-check-plugin.version` value to `7.4.3` or later.
====

Next, configure the plugin as follows:
Expand Down

0 comments on commit cc2abf2

Please sign in to comment.