OWASP dependency check for a folder with multiple maven projects

Sometimes its useful to quick check if multiple maven projects which are located in a subfolder are using vulnerable 3th party libraries:


- folderToScan
  -- project1
    --- pom.xml
  -- project2
    --- pom.xml
 ...

If you don’t want to touch each of the pom.xml or integrating all the projects into a buildchain, this could be done by calling all pom.xml, downloading all referenced jars to the project folders and scanning against nvd cve database using the owasp dependency checker. From “folderToScan” call:

find . -name "pom.xml" -exec mvn dependency:copy-dependencies -DoutputDirectory=./lib  -f '{}' \;

dependency-check --project "MY_SCAN_PROJECT" --scan "PATH_TO_FOLDER_TO_SCAN/**/*.jar"

koelnerwasser.de

Java, .Net and other parts of my life

OWASP dependency check for a folder with multiple maven projects

Leave a Reply