java - 无法在 Maven 中获取依赖项检查报告
问题描述
我正在尝试获取我的一个 Maven 项目的依赖项检查报告,但每次我运行时:
mvn verify
依赖项报告中的依赖项显示没有易受攻击的 JAR。
我在我的 POM 中添加了以下插件以生成依赖项检查报告:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-email</artifactId>
<version>1.1</version>
</dependency>
<dependency>
<groupId>apache.axis</groupId>
<artifactId>jaxrpc</artifactId>
<version>1.2beta</version>
<scope>provided</scope>
</dependency>
<dependencies>
<dependencyManagement>
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>3.3.2</version>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
我需要纠正什么或有其他方法吗?commons-email-1.1.jar
有一些漏洞,但仍然没有被检测到。
这些是 Maven 日志:
[INFO] Scanning for projects...
[INFO] Inspecting build with total of 1 modules...
[INFO] Installing Nexus Staging features:
[INFO] ... total of 1 executions of maven-deploy-plugin replaced with
nexus-staging-maven-plugin
[INFO]
[INFO]
[INFO] --- maven-clean-plugin:2.6.1:clean (default-clean) @ version-mana -
--
[INFO]
[INFO] --- maven-source-plugin:2.4:jar-no-fork (attach-sources) @ version-
mana ---
[INFO]
[INFO] --- maven-source-plugin:2.4:test-jar-no-fork (attach-sources) @
version-mana ---
[INFO]
[INFO] --- dependency-check-maven:3.3.2:check (default) @ version-mana ---
[INFO] Central analyzer disabled
[INFO] Checking for updates
[INFO] Skipping NVD check since last check was within 4 hours.
[INFO] Skipping RetireJS update since last update was within 24 hours.
[INFO] Check for updates complete (31 ms)
[INFO] Analysis Started
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Skipping CPE Analysis for npm
[INFO] Finished CPE Analyzer (1 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (1 seconds)
解决方案
如果您可以访问 maven 存储库(在执行此命令时)并安装 mvn/mvnw ,则可以从命令行执行此行。
mvn org.owasp:dependency-check-maven:5.2.2:check
“dependency-check-report.html”报告将在目标文件夹中生成。
推荐阅读
- c# - 从另一个类传递参数 string[] args 的问题
- java - 从发布请求java中获取变量
- c - 比较数组中名称字符串且不区分大小写的函数
- devexpress - DevExpress 和 Syncfusion
- scikit-learn - Python - RandomForestClassifier 和 XGBClassifier 具有完全相同的分数
- powerbi - 将 CSV 数据转换为 DAX 表
- node.js - 使用 Axios 创建文件系统缓存以在全局缓存 API 请求
- laravel - Laravel Vapor CLI 登录中止且没有错误。如何登录?
- selenium - java.lang.AssertionError:比较预期的错误消息
- r - 如何修复R中的行引用