java使用dependency-check檢查依賴漏洞

demo位址

引入dependnecy-check插件

項目中原有的依賴是這樣的

<dependency>
            <groupId>io.netty</groupId>
            <artifactId>netty-all</artifactId>
            <version>4.1.41.Final</version>
        </dependency>           

<plugin>
            <groupId>org.owasp</groupId>
            <artifactId>dependency-check-maven</artifactId>
            <version>${dependency-check-maven.version}</version>
            <configuration>
              <suppressionFiles>
                <suppressionFile>src/owasp-dependency-check-suppressions.xml</suppressionFile>
              </suppressionFiles>
              <failBuildOnCVSS>7</failBuildOnCVSS>
              <msbuildAnalyzerEnabled>false</msbuildAnalyzerEnabled>
              <nodeAnalyzerEnabled>false</nodeAnalyzerEnabled>
              <yarnAuditAnalyzerEnabled>false</yarnAuditAnalyzerEnabled>
              <pyDistributionAnalyzerEnabled>false</pyDistributionAnalyzerEnabled>
              <pyPackageAnalyzerEnabled>false</pyPackageAnalyzerEnabled>
              <pipAnalyzerEnabled>false</pipAnalyzerEnabled>
              <pipfileAnalyzerEnabled>false</pipfileAnalyzerEnabled>
              <retireJsAnalyzerEnabled>false</retireJsAnalyzerEnabled>
              <msbuildAnalyzerEnabled>false</msbuildAnalyzerEnabled>
              <mixAuditAnalyzerEnabled>false</mixAuditAnalyzerEnabled>
              <nugetconfAnalyzerEnabled>false</nugetconfAnalyzerEnabled>
              <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
              <skipSystemScope>true</skipSystemScope>
            </configuration>
            <executions>
              <execution>
                <goals>
                  <goal>aggregate</goal>
                </goals>
              </execution>
            </executions>
          </plugin>           

然後可以通過mvn clean install verify -DskipTests來檢測。這個demo下，會輸出

[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0': 
[ERROR] 
[ERROR] netty-all-4.1.41.Final.jar: CVE-2019-16869(7.5), CVE-2021-37136(7.5), CVE-2020-11612(7.5), CVE-2021-37137(7.5), CVE-2019-20445(9.1), CVE-2019-20444(9.1), CVE-2020-7238(7.5)
[ERROR] 
[ERROR] See the dependency-check report for more details.           

實際使用時，由于dependency-check檢查相對耗時，一般通過單獨的profile來控制開關

屏蔽CVE漏洞

如果出現dependency-check誤報或者是評估該漏洞不涉及，可以通過supression file來屏蔽

屏蔽單一CVE漏洞

<suppress>
    <notes><![CDATA[
   file name: zookeeper-prometheus-metrics-3.8.0.jar
   ]]></notes>
    <sha1>849e8ece2845cb0185d721233906d487a7f1e4cf</sha1>
    <cve>CVE-2021-29425</cve>
  </suppress>           

通過檔案正則來屏蔽CVE漏洞

<suppress>
        <notes>CVE-2011-1797 FP, see https://github.com/jeremylong/DependencyCheck/issues/4154</notes>
        <filePath regex="true">.*netty-tcnative-boringssl-static.*\.jar</filePath>
        <cve>CVE-2011-1797g</cve>
    </suppress>