An example on how to use the OWASP Dependency-Check maven plugin.

This example belongs to an article published in Java aktuell 01/2017: Automatic checks for vulnerabilities in Java project dependencies.
The original article (🇩🇪) can be found here: Automatisierte Überprüfung von Sicherheitslücken in Abhängigkeiten von Java-Projekten.

This example contains the following

• a maven multi-module project creating a WAR
• a module containing a dependency with CVE, that is not contained in the WAR (module internal-module-with-vulnerability)
• a module containing a dependency with CVE, that is contained in the WAR (module published-module-with-vulnerability) but is considered to be a false positive and is suppressed in suppressed-cves.xml
• the final artifact (module war) that in turn contains dependencies with CVEs in test, provided and compile scopes.

To execute the OWASP dependency check, just call

mvn clean install org.owasp:dependency-check-maven:check

A report containing a CVE is generated to war/target/dependency-check-report.html.

The easiest way is to use this in Jenkins is the pipeline plugin (formerly known as workflow plugin). Tested with version 2.4. In Jenkins, do the following

• Install the OWASP Dependecy-Check Jenkins plugin (tested with version 1.4.3)
• Provide a maven tool called M3.3' and a JDK called JDK8u102, then
• Setup a new pipeline job in jenkins and add your repository URL,
• Optionally add a build parameter RECIPIENTS that contains a comma-separated list of all email recipients,
• Save and
• Build Now. You should get an email notifying about the unstable build due to the Security warning.

If you prefer to rely on the Jenkins GUI, setup the following maven command

mvn clean install org.owasp:dependency-check-maven:check -Ddependency-check-format=XML

from your Jenkins job and use the OWASP Dependecy-Check Jenkins plugin to analyze war/target/dependency-check-report.xml