Links

Find and fix vulnerable dependencies

org.openrewrite.java.dependencies.DependencyVulnerabilityCheck
This software composition analysis (SCA) tool detects and upgrades dependencies with publicly disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and upgrades to newer versions with fixes. Automatic upgrade of vulnerable versions is performed when the fixed version is a minor or patch version bump. Vulnerability information comes from the GitHub Security Advisory Database, which aggregates vulnerability data from several public databases, including the National Vulnerability Database maintained by the United States government. Dependencies following Semantic Versioning will see their patch version updated where applicable.

Source

  • groupId: org.openrewrite.recipe
  • artifactId: rewrite-java-dependencies
  • version: 1.0.9

Options

Type
Name
Description
String
scope
Match dependencies with the specified scope
Boolean
overrideManagedVersion
Optional. This flag can be set to explicitly override a managed dependency's version. The default for this flag is false.
Boolean
addMarkers
Optional. Report each vulnerability in search results. If this is off, it is easier to see suggested changes.

Data Tables (Only available on the Moderne platform)

Vulnerability report

A vulnerability report that includes detailed information about the affected artifact and the corresponding CVEs.
Column Name
Description
CVE
The CVE number.
Group
The first part of a dependency coordinate com.google.guava:guava:VERSION.
Artifact
The second part of a dependency coordinate com.google.guava:guava:VERSION.
Version
The resolved version.
Fixed in version
The minimum version that is no longer vulnerable.
Fixable with version update only
Whether the vulnerability is likely to be fixed by increasing the dependency version only, with no code modifications required. This is a heuristic which assumes that the dependency is accurately versioned according to semver.
Summary
The summary of the CVE.
Base score
The calculated base score.
Depth
Zero for direct dependencies.
CWEs
Common Weakness Enumeration (CWE) identifiers; semicolon separated.

Usage

This recipe has required configuration parameters. Recipes with required configuration parameters cannot be activated directly. To activate this recipe you must create a new recipe which fills in the required parameters. In your rewrite.yml create a new recipe with a unique name. For example: com.yourorg.DependencyVulnerabilityCheckExample. Here's how you can define and customize such a recipe within your rewrite.yml:
rewrite.yml
---
type: specs.openrewrite.org/v1beta/recipe
name: com.yourorg.DependencyVulnerabilityCheckExample
displayName: Find and fix vulnerable dependencies example
recipeList:
- org.openrewrite.java.dependencies.DependencyVulnerabilityCheck:
scope: compile
overrideManagedVersion: false
addMarkers: null
Now that com.yourorg.DependencyVulnerabilityCheckExample has been defined activate it and take a dependency on org.openrewrite.recipe:rewrite-java-dependencies:1.0.9 in your build file:
Gradle
Maven
  1. 1.
    Add the following to your build.gradle file:
build.gradle
plugins {
id("org.openrewrite.rewrite") version("6.3.11")
}
rewrite {
activeRecipe("com.yourorg.DependencyVulnerabilityCheckExample")
}
repositories {
mavenCentral()
}
dependencies {
rewrite("org.openrewrite.recipe:rewrite-java-dependencies:1.0.9")
}
  1. 2.
    Run gradle rewriteRun to run the recipe.
  1. 1.
    Add the following to your pom.xml file:
pom.xml
<project>
<build>
<plugins>
<plugin>
<groupId>org.openrewrite.maven</groupId>
<artifactId>rewrite-maven-plugin</artifactId>
<version>5.5.2</version>
<configuration>
<activeRecipes>
<recipe>com.yourorg.DependencyVulnerabilityCheckExample</recipe>
</activeRecipes>
</configuration>
<dependencies>
<dependency>
<groupId>org.openrewrite.recipe</groupId>
<artifactId>rewrite-java-dependencies</artifactId>
<version>1.0.9</version>
</dependency>
</dependencies>
</plugin>
</plugins>
</build>
</project>
  1. 2.
    Run mvn rewrite:run to run the recipe.

See how this recipe works across multiple open-source repositories

Moderne Link Image
The community edition of the Moderne platform enables you to easily run recipes across thousands of open-source repositories.
Please contact Moderne for more information about safely running the recipes on your own codebase in a private SaaS.