Disable modules in owasp dependency-check maven plugin

Question

Disable modules in owasp dependency-check maven plugin

3.7k views Asked by Vitalii At 10 August 2020 at 10:43

In my project I use dependency-check-maven to run OWASP verifications. Project contains several java modules and a front end module. Configuration in pom is basic one like this

<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <version>5.3.2</version>
    <configuration>
        <failBuildOnCVSS>4</failBuildOnCVSS>
        <suppressionFiles>
            <suppressionFile>owasp-suppressions.xml</suppressionFile>
        </suppressionFiles>
        <cveUrlBase>...</cveUrlBase>
        <cveUrlModified>...</cveUrlModified>
        <format>ALL</format>
        <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
        <cveValidForHours>24</cveValidForHours>
    </configuration>
</plugin>

Is it possible to configure the plugin such way that it ignores my front end module but analyses all other ones?

I try to run mvn -Dowasp.dependency-check.excludes=frontend-1.0.1-SNAPSHOT.jar org.owasp:dependency-check-maven:aggregate in the root folder of my project but verification is done in frontend as well

Original Q&A

There are 3 answers

**André** · Answer 1 · 2021-11-30T18:24:02+00:00

I've the same issue to ignore some javascript modules to be analyzed by the dependency check.

As you can see at https://github.com/jeremylong/DependencyCheck/issues/1009 the developers have an open PR to resolve this request.

I've solved this by not building the javascript module:

mvn verify -pl '!frontend'

It's just a workaround to get the results of the dependency-check locally.

Maybe there exists better ideas?

**dspescha** · Answer 2 · 2023-03-13T16:57:31+00:00

dspescha On 13 March 2023 at 16:57

Add the following to each submodule to be excluded:

      <plugin>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-maven</artifactId>
        <configuration>
          <skip>true</skip>
        </configuration>
      </plugin>

**JCalcines** · Answer 3 · 2024-03-11T15:02:16+00:00

There is not much (or any) documentation about this, but it can be achieved through Maven configuration by adding an exclusion

The format of the exclusion is <exlude>groupId:artefact</exclude> and the following example illustrates how to do it for your case but bear in mind that I don't know your groupId so I used com.example instead

<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <version>9.0.9</version>
    <configuration>
        <!-- Your configuration -->
        <excludes>
          <exclude>com.example:frontend</exclude>
        </excludes>  
    </configuration>
</plugin>

There are some other use cases in this Github issue: https://github.com/jeremylong/DependencyCheck/issues/1009

TechQA.

Disable modules in owasp dependency-check maven plugin

There are 3 answers

Related Questions in OWASP

Related Questions in MAVEN-DEPENDENCY-CHECK-PLUGIN

Popular Questions

Popular Tags

Trending Questions