时间戳

首页 > 解决方案 > 无法在 Maven 中获取依赖项检查报告

java - 无法在 Maven 中获取依赖项检查报告

问题描述

我正在尝试获取我的一个 Maven 项目的依赖项检查报告,但每次我运行时:

mvn verify

依赖项报告中的依赖项显示没有易受攻击的 JAR。

我在我的 POM 中添加了以下插件以生成依赖项检查报告:

 <dependencyManagement>
    <dependencies>
        <dependency>
        <groupId>org.apache.commons</groupId>
        <artifactId>commons-email</artifactId>
        <version>1.1</version>
    </dependency>
        <dependency>
            <groupId>apache.axis</groupId>
            <artifactId>jaxrpc</artifactId>
            <version>1.2beta</version>
            <scope>provided</scope>
        </dependency>
       <dependencies>
<dependencyManagement>
<build>
  <plugins>
    <plugin>
          <groupId>org.owasp</groupId>
          <artifactId>dependency-check-maven</artifactId>
          <version>3.3.2</version>
          <executions>
              <execution>
                  <goals>
                      <goal>check</goal>
                  </goals>
              </execution>
          </executions>
        </plugin>
  </plugins>

我需要纠正什么或有其他方法吗?commons-email-1.1.jar有一些漏洞,但仍然没有被检测到。

这些是 Maven 日志:

[INFO] Scanning for projects...
[INFO] Inspecting build with total of 1 modules...
[INFO] Installing Nexus Staging features:
[INFO]   ... total of 1 executions of maven-deploy-plugin replaced with 
nexus-staging-maven-plugin
[INFO]
[INFO]
[INFO] --- maven-clean-plugin:2.6.1:clean (default-clean) @ version-mana - 
 --
[INFO]
[INFO] --- maven-source-plugin:2.4:jar-no-fork (attach-sources) @ version- 
 mana ---
[INFO]
[INFO] --- maven-source-plugin:2.4:test-jar-no-fork (attach-sources) @ 
version-mana ---
[INFO]
[INFO] --- dependency-check-maven:3.3.2:check (default) @ version-mana ---
[INFO] Central analyzer disabled
[INFO] Checking for updates
[INFO] Skipping NVD check since last check was within 4 hours.
[INFO] Skipping RetireJS update since last update was within 24 hours.
[INFO] Check for updates complete (31 ms)
[INFO] Analysis Started
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Skipping CPE Analysis for npm
[INFO] Finished CPE Analyzer (1 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (1 seconds)

标签: javamaven

解决方案

如果您可以访问 maven 存储库(在执行此命令时)并安装 mvn/mvnw ,则可以从命令行执行此行。

mvn org.owasp:dependency-check-maven:5.2.2:check

“dependency-check-report.html”报告将在目标文件夹中生成。

推荐阅读