Find and fix vulnerable dependencies

org.openrewrite.java.dependencies.DependencyVulnerabilityCheck
This software composition analysis (SCA) tool detects and upgrades dependencies with publicly disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and upgrades to newer versions with fixes. Automatic upgrade of vulnerable versions is performed when the fixed version is a minor or patch version bump. Vulnerability information comes from the GitHub Security Advisory Database, which aggregates vulnerability data from several public databases, including the National Vulnerability Database maintained by the United States government. Dependencies following Semantic Versioning will see their patch version updated where applicable.
Source
​GitHub, Issue Tracker, Maven Central​
groupId: org.openrewrite.recipe
artifactId: rewrite-java-dependencies
version: 1.0.9
Options
Type
Name
Description
String
scope
Match dependencies with the specified scope
Boolean
overrideManagedVersion
Optional. This flag can be set to explicitly override a managed dependency's version. The default for this flag is false.
Boolean
addMarkers
Optional. Report each vulnerability in search results. If this is off, it is easier to see suggested changes.
Data Tables (Only available on the Moderne platform)
Vulnerability report
A vulnerability report that includes detailed information about the affected artifact and the corresponding CVEs.
Column Name
Description
CVE
The CVE number.
Group
The first part of a dependency coordinate com.google.guava:guava:VERSION.
Artifact
The second part of a dependency coordinate com.google.guava:guava:VERSION.
Version
The resolved version.
Fixed in version
The minimum version that is no longer vulnerable.
Fixable with version update only
Whether the vulnerability is likely to be fixed by increasing the dependency version only, with no code modifications required. This is a heuristic which assumes that the dependency is accurately versioned according to semver.
Summary
The summary of the CVE.
Base score
The calculated base score.
Depth
Zero for direct dependencies.
CWEs
Common Weakness Enumeration (CWE) identifiers; semicolon separated.
Usage
This recipe has required configuration parameters. Recipes with required configuration parameters cannot be activated directly. To activate this recipe you must create a new recipe which fills in the required parameters. In your rewrite.yml create a new recipe with a unique name. For example: com.yourorg.DependencyVulnerabilityCheckExample. Here's how you can define and customize such a recipe within your rewrite.yml:
rewrite.yml
---
type: specs.openrewrite.org/v1beta/recipe
name: com.yourorg.DependencyVulnerabilityCheckExample
displayName: Find and fix vulnerable dependencies example
recipeList:
  - org.openrewrite.java.dependencies.DependencyVulnerabilityCheck:
      scope: compile
      overrideManagedVersion: false
      addMarkers: null
Now that com.yourorg.DependencyVulnerabilityCheckExample has been defined activate it and take a dependency on org.openrewrite.recipe:rewrite-java-dependencies:1.0.9 in your build file:
Gradle
Maven
1.Add the following to your build.gradle file:
build.gradle
plugins {
    id("org.openrewrite.rewrite") version("6.3.11")
}
​
rewrite {
    activeRecipe("com.yourorg.DependencyVulnerabilityCheckExample")
}
​
repositories {
    mavenCentral()
}
​
dependencies {
    rewrite("org.openrewrite.recipe:rewrite-java-dependencies:1.0.9")
}
2.Run gradle rewriteRun to run the recipe.
1.Add the following to your pom.xml file:
pom.xml
<project>
  <build>
    <plugins>
      <plugin>
        <groupId>org.openrewrite.maven</groupId>
        <artifactId>rewrite-maven-plugin</artifactId>
        <version>5.5.2</version>
        <configuration>
          <activeRecipes>
            <recipe>com.yourorg.DependencyVulnerabilityCheckExample</recipe>
          </activeRecipes>
        </configuration>
        <dependencies>
          <dependency>
            <groupId>org.openrewrite.recipe</groupId>
            <artifactId>rewrite-java-dependencies</artifactId>
            <version>1.0.9</version>
          </dependency>
        </dependencies>
      </plugin>
    </plugins>
  </build>
</project>
2.Run mvn rewrite:run to run the recipe.
See how this recipe works across multiple open-source repositories
​​
​​
The community edition of the Moderne platform enables you to easily run recipes across thousands of open-source repositories.
Please contact Moderne for more information about safely running the recipes on your own codebase in a private SaaS.

Type	Name	Description
`String`	scope	Match dependencies with the specified scope
`Boolean`	overrideManagedVersion	Optional. This flag can be set to explicitly override a managed dependency's version. The default for this flag is `false`.
`Boolean`	addMarkers	Optional. Report each vulnerability in search results. If this is off, it is easier to see suggested changes.

Column Name	Description
CVE	The CVE number.
Group	The first part of a dependency coordinate `com.google.guava:guava:VERSION`.
Artifact	The second part of a dependency coordinate `com.google.guava:guava:VERSION`.
Version	The resolved version.
Fixed in version	The minimum version that is no longer vulnerable.
Fixable with version update only	Whether the vulnerability is likely to be fixed by increasing the dependency version only, with no code modifications required. This is a heuristic which assumes that the dependency is accurately versioned according to semver.
Summary	The summary of the CVE.
Base score	The calculated base score.
Depth	Zero for direct dependencies.
CWEs	Common Weakness Enumeration (CWE) identifiers; semicolon separated.

Dependency report

Find licenses in use in third-party dependencies

Last modified 5d ago