Reputation: 668
dependency-check for application code
I am looking for a solution to implement security-scanning of the application code-base at the time of a build. The idea is to capture a list of security vulnerabilities early in the software development life cycle.
I have a simple java project which uses a maven build. The java project specifies a number of .jar dependencies and comes up with a .war file as a build output.
I came across (and was able to configure) the dependency-check maven plugin (http://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html). However, though it scans the dependency jars and comes up with a vulnerability report, it doesn't seem to scan the final artifact - which in my case is the .war file.
How do I ensure that the .war is scanned as well? Is the dependency-check plugin the right tool for this?
Upvotes: 0
Views: 1775
Answers (1)
Reputation: 928
dependency-check isn't the right tool for checking your own code. It uses a list of known vulnerability reports to determine if any of your dependancies have known flaws. It does not do an active scan of the code. see Plugin wiki
For checking your own code, HP's Fortify is a decent commercial solution, but if you are working in more of a DIY software setting, I would recommend Sonar. There are certainly many static code analysis tools out there. All have advantages and disadvantages.
Upvotes: 4
Related Questions
- Secure hash and salt for PHP passwords
- Why is char[] preferred over String for passwords?
- Run OWASP Dependency Check on all old versions
- OWASP dependency-check maven vs command line not same results
- Correct way to declare multiple scope for Maven dependency?
- Dealing with "Xerces hell" in Java/Maven?
- How should I ethically approach user password storage for later plaintext retrieval?
- dependency-check Maven Plugin
- Maven WAR dependency