dependency-check is a standalone maven plugin which checks for vulnerable dependencies. It’s hosted on GitHub. I switched to it from the victims-db, which no longer looks like it is updated. I had to carefully analyze the output, it was very helpful finding one issue where we had an unintended include.
Build
export TAG=4.10.2
git checkout ${TAG}
mvn clean install -f fhir-examples -DskipTests
mvn clean install -f fhir-parent -DskipTests
mvn org.owasp:dependency-check-maven:check -f fhir-parent/ -l output-${TAG}.log
grep -e 'vulnerabilities' -e CVE- output-${TAG}.log > summary-${TAG}.log
Output Note, this is some what cleaned up.
fhir-term-graph:
ant-1.7.0.jar (pkg:maven/org.apache.ant/ant@1.7.0, cpe:2.3:a:apache:ant:1.7.0:*:*:*:*:*:*:*) : CVE-2020-1945
cassandra-driver-core-3.11.0.jar (pkg:maven/com.datastax.cassandra/cassandra-driver-core@3.11.0, cpe:2.3:a:apache:cassandra:3.11.0:*:*:*:*:*:*:*) : CVE-2018-8016, CVE-2020-13946, CVE-2020-17516
gremlin-core-3.5.1.jar (pkg:maven/org.apache.tinkerpop/gremlin-core@3.5.1, cpe:2.3:a:apache:tinkerpop:3.5.1:*:*:*:*:*:*:*) : CVE-2021-37136, CVE-2021-37137
Leave a Reply