Reputation: 11071
Disable modules in owasp dependency-check maven plugin
In my project I use dependency-check-maven to run OWASP verifications. Project contains several java modules and a front end module. Configuration in pom is basic one like this
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>5.3.2</version>
<configuration>
<failBuildOnCVSS>4</failBuildOnCVSS>
<suppressionFiles>
<suppressionFile>owasp-suppressions.xml</suppressionFile>
</suppressionFiles>
<cveUrlBase>...</cveUrlBase>
<cveUrlModified>...</cveUrlModified>
<format>ALL</format>
<assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
<cveValidForHours>24</cveValidForHours>
</configuration>
</plugin>
Is it possible to configure the plugin such way that it ignores my front end module but analyses all other ones?
I try to run mvn -Dowasp.dependency-check.excludes=frontend-1.0.1-SNAPSHOT.jar org.owasp:dependency-check-maven:aggregate in the root folder of my project but verification is done in frontend as well
Upvotes: 5
Views: 5118
Answers (3)
Reputation: 1286
There is not much (or any) documentation about this, but it can be achieved through Maven configuration by adding an exclusion
The format of the exclusion is <exlude>groupId:artefact</exclude> and the following example illustrates how to do it for your case but bear in mind that I don't know your groupId so I used com.example instead
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>9.0.9</version>
<configuration>
<!-- Your configuration -->
<excludes>
<exclude>com.example:frontend</exclude>
</excludes>
</configuration>
</plugin>
There are some other use cases in this Github issue: https://github.com/jeremylong/DependencyCheck/issues/1009
Upvotes: 0
Reputation: 41
Add the following to each submodule to be excluded:
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<configuration>
<skip>true</skip>
</configuration>
</plugin>
Upvotes: 4
Reputation: 11
I've the same issue to ignore some javascript modules to be analyzed by the dependency check.
As you can see at https://github.com/jeremylong/DependencyCheck/issues/1009 the developers have an open PR to resolve this request.
I've solved this by not building the javascript module:
mvn verify -pl '!frontend'
It's just a workaround to get the results of the dependency-check locally.
Maybe there exists better ideas?
Upvotes: 1
Related Questions
- How to exclude dependencies from maven assembly plugin : jar-with-dependencies?
- dependency-check-maven - suppression not working
- Suppress Maven Dependency Plugin's "Unused declared dependencies found" warnings
- how to disable rpm-maven-plugin on sub modules
- Suppress OWASP findings for JAR in certain dependency
- Preventing Maven Modules from being Deployed
- In a Maven multi-module project, how can I disable a plugin in one child?
- OWASP Dependency Check determines wrong artifacts
- Maven disable plugin
- How to ignore a Maven plugin