Find and fix vulnerable dependencies

org.openrewrite.java.dependencies.DependencyVulnerabilityCheck

This software composition analysis (SCA) tool detects and upgrades dependencies with publicly disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and upgrades to newer versions with fixes. This recipe only upgrades to the latest patch version. If a minor or major upgrade is required to reach the fixed version, this recipe will not make any changes. Vulnerability information comes from the GitHub Security Advisory Database, which aggregates vulnerability data from several public databases, including the National Vulnerability Database maintained by the United States government. Dependencies following Semantic Versioning will see their patch version updated where applicable.

Recipe source

GitHub, Issue Tracker, Maven Central

groupId: org.openrewrite.recipe
artifactId: rewrite-java-dependencies
version: 1.6.0

Options

Type Name Description Example

Type	Name	Description	Example
`String`	scope	Optional. Match dependencies with the specified scope. Default is `compile`. Valid options: `compile`, `test`, `runtime`, `provided`	`compile`
`Boolean`	overrideTransitive	Optional. When enabled transitive dependencies with vulnerabilities will have their versions overridden. By default only direct dependencies have their version numbers upgraded.	`false`
`Boolean`	addMarkers	Optional. Report each vulnerability as search result markers. When enabled you can see which dependencies are bringing in vulnerable transitives in the diff view. By default these markers are omitted, making it easier to see version upgrades within the diff.

String

scope

Optional. Match dependencies with the specified scope. Default is compile. Valid options: compile, test, runtime, provided

compile

Boolean

overrideTransitive

Optional. When enabled transitive dependencies with vulnerabilities will have their versions overridden. By default only direct dependencies have their version numbers upgraded.

false

Boolean

addMarkers

Optional. Report each vulnerability as search result markers. When enabled you can see which dependencies are bringing in vulnerable transitives in the diff view. By default these markers are omitted, making it easier to see version upgrades within the diff.

Data Tables (Only available on the Moderne platform)

Vulnerability report

A vulnerability report that includes detailed information about the affected artifact and the corresponding CVEs.

Column Name Description

Column Name	Description
CVE	The CVE number.
Group	The first part of a dependency coordinate `com.google.guava:guava:VERSION`.
Artifact	The second part of a dependency coordinate `com.google.guava:guava:VERSION`.
Version	The resolved version.
Fixed in version	The minimum version that is no longer vulnerable.
Fixable with version update only	Whether the vulnerability is likely to be fixed by increasing the dependency version only, with no code modifications required. This is a heuristic which assumes that the dependency is accurately versioned according to semver.
Summary	The summary of the CVE.
Base score	The calculated base score.
Depth	Zero for direct dependencies.
CWEs	Common Weakness Enumeration (CWE) identifiers; semicolon separated.

CVE

The CVE number.

Group

The first part of a dependency coordinate com.google.guava:guava:VERSION.

Artifact

The second part of a dependency coordinate com.google.guava:guava:VERSION.

Version

The resolved version.

Fixed in version

The minimum version that is no longer vulnerable.

Fixable with version update only

Whether the vulnerability is likely to be fixed by increasing the dependency version only, with no code modifications required. This is a heuristic which assumes that the dependency is accurately versioned according to semver.

Summary

The summary of the CVE.

Base score

The calculated base score.

Depth

Zero for direct dependencies.

CWEs

Common Weakness Enumeration (CWE) identifiers; semicolon separated.

Usage

This recipe has no required configuration options. It can be activated by adding a dependency on org.openrewrite.recipe:rewrite-java-dependencies:1.6.0 in your build file or by running a shell command (in which case no build changes are needed):

Add the following to your build.gradle file:

build.gradle

plugins {
    id("org.openrewrite.rewrite") version("6.11.2")
}

rewrite {
    activeRecipe("org.openrewrite.java.dependencies.DependencyVulnerabilityCheck")
}

repositories {
    mavenCentral()
}

dependencies {
    rewrite("org.openrewrite.recipe:rewrite-java-dependencies:1.6.0")
}

Run gradle rewriteRun to run the recipe.

Create a file named init.gradle in the root of your project.

init.gradle

initscript {
    repositories {
        maven { url "https://plugins.gradle.org/m2" }
    }
    dependencies { classpath("org.openrewrite:plugin:6.11.2") }
}
rootProject {
    plugins.apply(org.openrewrite.gradle.RewritePlugin)
    dependencies {
        rewrite("org.openrewrite.recipe:rewrite-java-dependencies:1.6.0")
    }
    rewrite {
        activeRecipe("org.openrewrite.java.dependencies.DependencyVulnerabilityCheck")
    }
    afterEvaluate {
        if (repositories.isEmpty()) {
            repositories {
                mavenCentral()
            }
        }
    }
}

Run gradle --init-script init.gradle rewriteRun to run the recipe.

Add the following to your pom.xml file:

pom.xml

<project>
  <build>
    <plugins>
      <plugin>
        <groupId>org.openrewrite.maven</groupId>
        <artifactId>rewrite-maven-plugin</artifactId>
        <version>5.27.0</version>
        <configuration>
          <activeRecipes>
            <recipe>org.openrewrite.java.dependencies.DependencyVulnerabilityCheck</recipe>
          </activeRecipes>
        </configuration>
        <dependencies>
          <dependency>
            <groupId>org.openrewrite.recipe</groupId>
            <artifactId>rewrite-java-dependencies</artifactId>
            <version>1.6.0</version>
          </dependency>
        </dependencies>
      </plugin>
    </plugins>
  </build>
</project>

Run mvn rewrite:run to run the recipe.

shell

mvn -U org.openrewrite.maven:rewrite-maven-plugin:run -Drewrite.recipeArtifactCoordinates=org.openrewrite.recipe:rewrite-java-dependencies:RELEASE -Drewrite.activeRecipes=org.openrewrite.java.dependencies.DependencyVulnerabilityCheck

You will need to have configured the Moderne CLI on your machine before you can run the following command.

shell

mod run . --recipe DependencyVulnerabilityCheck

See how this recipe works across multiple open-source repositories

The community edition of the Moderne platform enables you to easily run recipes across thousands of open-source repositories.

Please contact Moderne for more information about safely running the recipes on your own codebase in a private SaaS.

PreviousDependency resolution diagnostic NextFind licenses in use in third-party dependencies

Last updated 18 days ago