OWASP dependency check for a folder with multiple maven projects

Sometimes its useful to quick check if multiple maven projects which are located in a subfolder are using vulnerable 3th party libraries:


- folderToScan
-- project1
--- pom.xml
-- project2
--- pom.xml
...

If you don’t want to touch each of the pom.xml or integrating all the projects into a buildchain, this could be done by calling all pom.xml, downloading all referenced jars to the project folders and scanning against nvd cve database using the owasp dependency checker. From “folderToScan” call:

find . -name "pom.xml" -exec mvn dependency:copy-dependencies -DoutputDirectory=./lib  -f '{}' \;

dependency-check --project "MY_SCAN_PROJECT" --scan "PATH_TO_FOLDER_TO_SCAN/**/*.jar"



Leave a Reply

Your email address will not be published.

*