Find and fix vulnerable dependencies
org.openrewrite.java.dependencies.DependencyVulnerabilityCheck
This software composition analysis (SCA) tool detects and upgrades dependencies with publicly disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and upgrades to newer versions with fixes. Automatic upgrade of vulnerable versions is performed when the fixed version is a minor or patch version bump. Vulnerability information comes from the GitHub Security Advisory Database, which aggregates vulnerability data from several public databases, including the National Vulnerability Database maintained by the United States government. Dependencies following Semantic Versioning will see their patch version updated where applicable.
- groupId: org.openrewrite.recipe
- artifactId: rewrite-java-dependencies
- version: 1.0.9
Type | Name | Description |
---|---|---|
String | scope | Match dependencies with the specified scope |
Boolean | overrideManagedVersion | Optional. This flag can be set to explicitly override a managed dependency's version. The default for this flag is false . |
Boolean | addMarkers | Optional. Report each vulnerability in search results. If this is off, it is easier to see suggested changes. |
A vulnerability report that includes detailed information about the affected artifact and the corresponding CVEs.
Column Name | Description |
---|---|
CVE | The CVE number. |
Group | The first part of a dependency coordinate com.google.guava:guava:VERSION . |
Artifact | The second part of a dependency coordinate com.google.guava:guava:VERSION . |
Version | The resolved version. |
Fixed in version | The minimum version that is no longer vulnerable. |
Fixable with version update only | Whether the vulnerability is likely to be fixed by increasing the dependency version only, with no code modifications required. This is a heuristic which assumes that the dependency is accurately versioned according to semver. |
Summary | The summary of the CVE. |
Base score | The calculated base score. |
Depth | Zero for direct dependencies. |
CWEs | Common Weakness Enumeration (CWE) identifiers; semicolon separated. |
This recipe has required configuration parameters. Recipes with required configuration parameters cannot be activated directly. To activate this recipe you must create a new recipe which fills in the required parameters. In your
rewrite.yml
create a new recipe with a unique name. For example: com.yourorg.DependencyVulnerabilityCheckExample
. Here's how you can define and customize such a recipe within your rewrite.yml:rewrite.yml
---
type: specs.openrewrite.org/v1beta/recipe
name: com.yourorg.DependencyVulnerabilityCheckExample
displayName: Find and fix vulnerable dependencies example
recipeList:
- org.openrewrite.java.dependencies.DependencyVulnerabilityCheck:
scope: compile
overrideManagedVersion: false
addMarkers: null
Now that
com.yourorg.DependencyVulnerabilityCheckExample
has been defined activate it and take a dependency on org.openrewrite.recipe:rewrite-java-dependencies:1.0.9 in your build file:Gradle
Maven
- 1.Add the following to your
build.gradle
file:
build.gradle
plugins {
id("org.openrewrite.rewrite") version("6.3.11")
}
rewrite {
activeRecipe("com.yourorg.DependencyVulnerabilityCheckExample")
}
repositories {
mavenCentral()
}
dependencies {
rewrite("org.openrewrite.recipe:rewrite-java-dependencies:1.0.9")
}
- 2.Run
gradle rewriteRun
to run the recipe.
- 1.Add the following to your
pom.xml
file:
pom.xml
<project>
<build>
<plugins>
<plugin>
<groupId>org.openrewrite.maven</groupId>
<artifactId>rewrite-maven-plugin</artifactId>
<version>5.5.2</version>
<configuration>
<activeRecipes>
<recipe>com.yourorg.DependencyVulnerabilityCheckExample</recipe>
</activeRecipes>
</configuration>
<dependencies>
<dependency>
<groupId>org.openrewrite.recipe</groupId>
<artifactId>rewrite-java-dependencies</artifactId>
<version>1.0.9</version>
</dependency>
</dependencies>
</plugin>
</plugins>
</build>
</project>
- 2.Run
mvn rewrite:run
to run the recipe.
The community edition of the Moderne platform enables you to easily run recipes across thousands of open-source repositories.
Please contact Moderne for more information about safely running the recipes on your own codebase in a private SaaS.
Last modified 5d ago