Check Security Versions

As many know, the projects I work on are typically maven projects. These projects have a variety of requirements, and I started experimenting with static analysis tools. I found a cool one based on the Red Hat victims project. I ran this and found two embedded and out of date jars. Below, one sees the command runs, and highlights the vulnerabilities and CVEs that correspond. Further, it puts a report in the target directory for each module (great for reporting and seeing where/how it’s vulnerable.

$ mvn com.redhat.victims.maven:security-versions:check -f parent/pom.xml
[INFO] Scanning for projects...
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Build Order:
[INFO]
[INFO] parent [pom]
[INFO] api [jar]
[INFO] webapp [webapp]
[INFO]
[INFO] ---------------< group:parent >----------------
[INFO] Building parent 99-SNAPSHOT [1/3]
[INFO] --------------------------------[ pom ]---------------------------------
[INFO]
[INFO] --- security-versions:1.0.6:check (default-cli) @ parent ---
[INFO] Analyzing the dependencies for group:parent
[INFO] Syncing with the victims repository (based on the atom feed)
[INFO] Downloading: https://github.com/victims/victims-cve-db/commits.atom
[INFO] Already to the latest version.
INFO] Analyzing the dependencies for group:api
[ERROR] com.fasterxml.jackson.core:jackson-databind is vulnerable to CVE-2017-7525
[INFO] Analyzing the dependencies for group:webapp
[ERROR] commons-collections:commons-collections is vulnerable to CVE-2015-7501
------------------------------------------------------------------------
[INFO] Reactor Summary for parent 99-SNAPSHOT:
[INFO]
[INFO] parent ......... SUCCESS [ 3.170 s]
[INFO] api ...................................... SKIPPED
[INFO] webapp .............................. SKIPPED
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 3.636 s
[INFO] Finished at: 2019-08-13T07:04:08-04:00
[INFO] ------------------------------------------------------------------------
$

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.