Find and fix vulnerable dependencies
org.openrewrite.java.dependencies.DependencyVulnerabilityCheck
This software composition analysis (SCA) tool detects and upgrades dependencies with publicly disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and upgrades to newer versions with fixes. This recipe only upgrades to the latest patch version. If a minor or major upgrade is required to reach the fixed version, this recipe will not make any changes. Vulnerability information comes from the GitHub Security Advisory Database, which aggregates vulnerability data from several public databases, including the National Vulnerability Database maintained by the United States government. Dependencies following Semantic Versioning will see their patch version updated where applicable.
Recipe source
GitHub, Issue Tracker, Maven Central
groupId: org.openrewrite.recipe
artifactId: rewrite-java-dependencies
version: 1.7.0
Options
Type | Name | Description | Example |
---|---|---|---|
| scope | Optional. Match dependencies with the specified scope. Default is |
|
| overrideTransitive | Optional. When enabled transitive dependencies with vulnerabilities will have their versions overridden. By default only direct dependencies have their version numbers upgraded. |
|
| addMarkers | Optional. Report each vulnerability as search result markers. When enabled you can see which dependencies are bringing in vulnerable transitives in the diff view. By default these markers are omitted, making it easier to see version upgrades within the diff. |
Data Tables (Only available on the Moderne platform)
Vulnerability report
A vulnerability report that includes detailed information about the affected artifact and the corresponding CVEs.
Column Name | Description |
---|---|
CVE | The CVE number. |
Group | The first part of a dependency coordinate |
Artifact | The second part of a dependency coordinate |
Version | The resolved version. |
Fixed in version | The minimum version that is no longer vulnerable. |
Fixable with version update only | Whether the vulnerability is likely to be fixed by increasing the dependency version only, with no code modifications required. This is a heuristic which assumes that the dependency is accurately versioned according to semver. |
Summary | The summary of the CVE. |
Base score | The calculated base score. |
Depth | Zero for direct dependencies. |
CWEs | Common Weakness Enumeration (CWE) identifiers; semicolon separated. |
Usage
This recipe has no required configuration options. It can be activated by adding a dependency on org.openrewrite.recipe:rewrite-java-dependencies:1.7.0
in your build file or by running a shell command (in which case no build changes are needed):
Add the following to your
build.gradle
file:
Run
gradle rewriteRun
to run the recipe.
See how this recipe works across multiple open-source repositories
The community edition of the Moderne platform enables you to easily run recipes across thousands of open-source repositories.
Please contact Moderne for more information about safely running the recipes on your own codebase in a private SaaS.
Last updated