TEZ-3975. Add OWASP Dependency Check to the build
authorJonathan Eagles <jeagles@yahoo-inc.com>
Wed, 26 Sep 2018 20:48:48 +0000 (13:48 -0700)
committerJason Lowe <jlowe@apache.org>
Wed, 26 Sep 2018 20:48:48 +0000 (13:48 -0700)
Signed-off-by: Jason Lowe <jlowe@apache.org>
pom.xml

diff --git a/pom.xml b/pom.xml
index 8add2e0..8bce5dd 100644 (file)
--- a/pom.xml
+++ b/pom.xml
@@ -61,6 +61,7 @@
     <findbugs-maven-plugin.version>3.0.1</findbugs-maven-plugin.version>
     <javadoc-maven-plugin.version>2.10.4</javadoc-maven-plugin.version>
     <shade-maven-plugin.version>2.4.3</shade-maven-plugin.version>
+    <dependency-check-maven.version>1.3.6</dependency-check-maven.version>
   </properties>
   <scm>
     <connection>${scm.url}</connection>
           </configuration>
         </plugin>
         <plugin>
+          <groupId>org.owasp</groupId>
+          <artifactId>dependency-check-maven</artifactId>
+          <version>${dependency-check-maven.version}</version>
+        </plugin>
+        <plugin>
           <groupId>org.codehaus.mojo</groupId>
           <artifactId>findbugs-maven-plugin</artifactId>
           <version>${findbugs-maven-plugin.version}</version>
           <excludeFilterFile>${basedir}/findbugs-exclude.xml</excludeFilterFile>
         </configuration>
       </plugin>
+      <plugin>
+       <!-- OWASP's dependency-check plugin will scan the third party
+            dependencies of this project for known CVEs (security
+            vulnerabilities against them). It will produce a report
+            in target/dependency-check-report.html. To invoke, run
+            'mvn dependency-check:aggregate'
+       -->
+       <groupId>org.owasp</groupId>
+       <artifactId>dependency-check-maven</artifactId>
+       <version>${dependency-check-maven.version}</version>
+     </plugin>
    </plugins>
   </build>