Detailed explanation of Java dependency package vulnerability detection command

1. Vulnerability scanning tool

maven plug-in method: Dependency-Check

2. Command

Check for security vulnerabilities in individual Maven projects

mvn dependency-check:check

This command will betargetGenerate one in the directoryFile, which contains the security vulnerability analysis report for dependencies.

Check multiple Maven subprojects and summarize a report

mvn dependency-check:aggregate

This command analyzes the current project and its sub-items and generates a summary report.

Update local vulnerability database

mvn dependency-check:update-only

This command will only update the local vulnerability database and will not analyze the project's dependencies.

Clear a copy of local vulnerability data

mvn dependency-check:purge

This command is used to clear local copy of vulnerability data.

3. Quickly generate reports

Skip database updates

Executionmvn dependency-check:checkWhen commands, you can add-DskipAssembly=trueParameters to skip the step of automatically updating the CVE database, which can speed up scanning. The complete command is as follows:

mvn dependency-check:check -DskipAssembly=true

This parameter will tell Maven to skip the default behavior of dependency check plugins, i.e. automatically download the latest CVE database, thereby speeding up the scanning process.

Use existing CVE databases

If you have downloaded the CVE database and don't want to update every time, you can specify a local CVE database path by configuring dataDirectory. This way, Dependency-Check will use a local database instead of downloading the latest data from the internet every time. The configuration example is as follows:

&lt;plugin&gt;
    &lt;groupId&gt;&lt;/groupId&gt;
    &lt;artifactId&gt;dependency-check-maven&lt;/artifactId&gt;
    &lt;version&gt;Your plugin version&lt;/version&gt;
    &lt;configuration&gt;
        &lt;dataDirectory&gt;yourCVEDatabase path&lt;/dataDirectory&gt;
        &lt;autoUpdate&gt;false&lt;/autoUpdate&gt;
    &lt;/configuration&gt;
    &lt;executions&gt;
        &lt;execution&gt;
            &lt;goals&gt;
                &lt;goal&gt;check&lt;/goal&gt;
            &lt;/goals&gt;
        &lt;/execution&gt;
    &lt;/executions&gt;
&lt;/plugin&gt;

After this configuration, Dependency-Check will use the CVE database under the specified path for scanning without being updated every time.

With the above steps, you can quickly perform security checks on dependencies after fixing the vulnerability and generate new reports without waiting for the CVE database to be downloaded and updated. This can significantly improve the scanning efficiency.

This is the end of this article about the detailed explanation of the Java dependency package vulnerability detection command. For more related Java dependency package vulnerability detection content, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!