Find and fix vulnerable dependencies

org.openrewrite.java.dependencies.DependencyVulnerabilityCheck

This software composition analysis (SCA) tool detects and upgrades dependencies with publicly disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and upgrades to newer versions with fixes. This recipe only upgrades to the latest patch version. If a minor or major upgrade is required to reach the fixed version, this recipe will not make any changes. Vulnerability information comes from the GitHub Security Advisory Database, which aggregates vulnerability data from several public databases, including the National Vulnerability Database maintained by the United States government. Dependencies following Semantic Versioning will see their patch version updated where applicable.

Recipe source

GitHub, Issue Tracker, Maven Central

groupId: org.openrewrite.recipe
artifactId: rewrite-java-dependencies
version: 1.13.0

Options

Type Name Description Example

Type	Name	Description	Example
`String`	scope	Optional. Match dependencies with the specified scope. Default is `compile`. Valid options: `compile`, `test`, `runtime`, `provided`	`compile`
`Boolean`	overrideTransitive	Optional. When enabled transitive dependencies with vulnerabilities will have their versions overridden. By default only direct dependencies have their version numbers upgraded.	`false`
`Boolean`	addMarkers	Optional. Report each vulnerability as search result markers. When enabled you can see which dependencies are bringing in vulnerable transitives in the diff view. By default these markers are omitted, making it easier to see version upgrades within the diff.

String

scope

Optional. Match dependencies with the specified scope. Default is compile. Valid options: compile, test, runtime, provided

compile

Boolean

overrideTransitive

Optional. When enabled transitive dependencies with vulnerabilities will have their versions overridden. By default only direct dependencies have their version numbers upgraded.

false

Boolean

addMarkers

Optional. Report each vulnerability as search result markers. When enabled you can see which dependencies are bringing in vulnerable transitives in the diff view. By default these markers are omitted, making it easier to see version upgrades within the diff.

Data Tables

Vulnerability report

org.openrewrite.java.dependencies.table.VulnerabilityReport

A vulnerability report that includes detailed information about the affected artifact and the corresponding CVEs.

Column Name Description

Column Name	Description
CVE	The CVE number.
Group	The first part of a dependency coordinate `com.google.guava:guava:VERSION`.
Artifact	The second part of a dependency coordinate `com.google.guava:guava:VERSION`.
Version	The resolved version.
Fixed in version	The minimum version that is no longer vulnerable.
Fixable with version update only	Whether the vulnerability is likely to be fixed by increasing the dependency version only, with no code modifications required. This is a heuristic which assumes that the dependency is accurately versioned according to semver.
Summary	The summary of the CVE.
Base score	The calculated base score.
Depth	Zero for direct dependencies.
CWEs	Common Weakness Enumeration (CWE) identifiers; semicolon separated.

CVE

The CVE number.

Group

The first part of a dependency coordinate com.google.guava:guava:VERSION.

Artifact

The second part of a dependency coordinate com.google.guava:guava:VERSION.

Version

The resolved version.

Fixed in version

The minimum version that is no longer vulnerable.

Fixable with version update only

Whether the vulnerability is likely to be fixed by increasing the dependency version only, with no code modifications required. This is a heuristic which assumes that the dependency is accurately versioned according to semver.

Summary

The summary of the CVE.

Base score

The calculated base score.

Depth

Zero for direct dependencies.

CWEs

Common Weakness Enumeration (CWE) identifiers; semicolon separated.

Source files that had results

org.openrewrite.table.SourcesFileResults

Source files that were modified by the recipe run.

Column Name	Description
Source path before the run	The source path of the file before the run.
Source path after the run	A recipe may modify the source path. This is the path after the run.
Parent of the recipe that made changes	In a hierarchical recipe, the parent of the recipe that made a change. Empty if this is the root of a hierarchy or if the recipe is not hierarchical at all.
Recipe that made changes	The specific recipe that made a change.
Estimated time saving	An estimated effort that a developer to fix manually instead of using this recipe, in unit of seconds.
Cycle	The recipe cycle in which the change was made.

Column Name

Description

Source path before the run

The source path of the file before the run.

Source path after the run

A recipe may modify the source path. This is the path after the run.

Parent of the recipe that made changes

In a hierarchical recipe, the parent of the recipe that made a change. Empty if this is the root of a hierarchy or if the recipe is not hierarchical at all.

Recipe that made changes

The specific recipe that made a change.

Estimated time saving

An estimated effort that a developer to fix manually instead of using this recipe, in unit of seconds.

Cycle

The recipe cycle in which the change was made.

Source files that errored on a recipe

org.openrewrite.table.SourcesFileErrors

The details of all errors produced by a recipe run.

Column Name	Description
Source path	The file that failed to parse.
Recipe that made changes	The specific recipe that made a change.
Stack trace	The stack trace of the failure.

Column Name

Description

Source path

The file that failed to parse.

Recipe that made changes

The specific recipe that made a change.

Stack trace

The stack trace of the failure.

Recipe performance

org.openrewrite.table.RecipeRunStats

Statistics used in analyzing the performance of recipes.

Column Name	Description
The recipe	The recipe whose stats are being measured both individually and cumulatively.
Source file count	The number of source files the recipe ran over.
Source file changed count	The number of source files which were changed in the recipe run. Includes files created, deleted, and edited.
Cumulative scanning time	The total time spent across the scanning phase of this recipe.
99th percentile scanning time	99 out of 100 scans completed in this amount of time.
Max scanning time	The max time scanning any one source file.
Cumulative edit time	The total time spent across the editing phase of this recipe.
99th percentile edit time	99 out of 100 edits completed in this amount of time.
Max edit time	The max time editing any one source file.

Column Name

Description

The recipe

The recipe whose stats are being measured both individually and cumulatively.

Source file count

The number of source files the recipe ran over.

Source file changed count

The number of source files which were changed in the recipe run. Includes files created, deleted, and edited.

Cumulative scanning time

The total time spent across the scanning phase of this recipe.

99th percentile scanning time

99 out of 100 scans completed in this amount of time.

Max scanning time

The max time scanning any one source file.

Cumulative edit time

The total time spent across the editing phase of this recipe.

99th percentile edit time

99 out of 100 edits completed in this amount of time.

Max edit time

The max time editing any one source file.

Usage

This recipe has no required configuration options. It can be activated by adding a dependency on org.openrewrite.recipe:rewrite-java-dependencies:1.13.0 in your build file or by running a shell command (in which case no build changes are needed):

Add the following to your build.gradle file:

build.gradle

plugins {
    id("org.openrewrite.rewrite") version("6.16.4")
}

rewrite {
    activeRecipe("org.openrewrite.java.dependencies.DependencyVulnerabilityCheck")
}

repositories {
    mavenCentral()
}

dependencies {
    rewrite("org.openrewrite.recipe:rewrite-java-dependencies:1.13.0")
}

Run gradle rewriteRun to run the recipe.

Create a file named init.gradle in the root of your project.

init.gradle

initscript {
    repositories {
        maven { url "https://plugins.gradle.org/m2" }
    }
    dependencies { classpath("org.openrewrite:plugin:6.16.4") }
}
rootProject {
    plugins.apply(org.openrewrite.gradle.RewritePlugin)
    dependencies {
        rewrite("org.openrewrite.recipe:rewrite-java-dependencies:1.13.0")
    }
    rewrite {
        activeRecipe("org.openrewrite.java.dependencies.DependencyVulnerabilityCheck")
    }
    afterEvaluate {
        if (repositories.isEmpty()) {
            repositories {
                mavenCentral()
            }
        }
    }
}

Run gradle --init-script init.gradle rewriteRun to run the recipe.

Add the following to your pom.xml file:

pom.xml

<project>
  <build>
    <plugins>
      <plugin>
        <groupId>org.openrewrite.maven</groupId>
        <artifactId>rewrite-maven-plugin</artifactId>
        <version>5.36.0</version>
        <configuration>
          <exportDatatables>true</exportDatatables>
          <activeRecipes>
            <recipe>org.openrewrite.java.dependencies.DependencyVulnerabilityCheck</recipe>
          </activeRecipes>
        </configuration>
        <dependencies>
          <dependency>
            <groupId>org.openrewrite.recipe</groupId>
            <artifactId>rewrite-java-dependencies</artifactId>
            <version>1.13.0</version>
          </dependency>
        </dependencies>
      </plugin>
    </plugins>
  </build>
</project>

Run mvn rewrite:run to run the recipe.

You will need to have Maven installed on your machine before you can run the following command.

shell

mvn -U org.openrewrite.maven:rewrite-maven-plugin:run -Drewrite.recipeArtifactCoordinates=org.openrewrite.recipe:rewrite-java-dependencies:RELEASE -Drewrite.activeRecipes=org.openrewrite.java.dependencies.DependencyVulnerabilityCheck -Drewrite.exportDatatables=true

You will need to have configured the Moderne CLI on your machine before you can run the following command.

shell

mod run . --recipe DependencyVulnerabilityCheck

See how this recipe works across multiple open-source repositories

The community edition of the Moderne platform enables you to easily run recipes across thousands of open-source repositories.

Please contact Moderne for more information about safely running the recipes on your own codebase in a private SaaS.

PreviousDependency resolution diagnostic NextFind licenses in use in third-party dependencies

Last updated 9 days ago