diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 0dc547a4feba4..0a630125f7f29 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -48,6 +48,7 @@ fixes, documentation, examples... But first, read this page (including the small * [Extensions](#extensions) + [Descriptions](#descriptions) + [Update dependencies to extensions](#update-dependencies-to-extensions) + + [Check security vulnerabilities](#check-security-vulnerabilities) * [The small print](#the-small-print) * [Frequently Asked Questions](#frequently-asked-questions) @@ -694,6 +695,12 @@ were changed by the script. When removing an extension make sure to also remove all dependencies to it from all `pom.xml`. It's easy to miss this as long as the extension artifact is still present in your local Maven repository. +### Check security vulnerabilities + +When adding a new extension or updating the dependencies of an existing one, +it is recommended to run in the extension directory the [OWASP Dependency Check](https://jeremylong.github.io/DependencyCheck) with `mvn -Dowasp-check` +so that known security vulnerabilities in the extension dependencies can be detected early. + ## The small print This project is an open source project, please act responsibly, be nice, polite and enjoy! diff --git a/build-parent/pom.xml b/build-parent/pom.xml index 2ff4c7496a5d0..ece649287c5ec 100644 --- a/build-parent/pom.xml +++ b/build-parent/pom.xml @@ -172,6 +172,7 @@ 1.1.1 + 7.4.4 @@ -719,6 +720,17 @@ + + org.owasp + dependency-check-maven + ${owasp-dependency-check-plugin.version} + + + false + false + false + + @@ -1235,7 +1247,17 @@ - + + owasp-check + + + owasp-check + + + + dependency-check:check + + Windows diff --git a/docs/src/main/asciidoc/security-overview-concept.adoc b/docs/src/main/asciidoc/security-overview-concept.adoc index 2af860fe09c56..5191ba2866dc2 100644 --- a/docs/src/main/asciidoc/security-overview-concept.adoc +++ b/docs/src/main/asciidoc/security-overview-concept.adoc @@ -344,7 +344,7 @@ To add the OWASP Dependency check plugin to your Quarkus Maven project, add the [IMPORTANT] ==== -Set the `owasp-dependency-check-plugin.version` value to `7.1.1` or later. +Set the `owasp-dependency-check-plugin.version` value to `7.4.4` or later. ==== Next, configure the plugin as follows: