Maven: Unterschied zwischen den Versionen

Aus Wiki - Jochen Hammann
Zur Navigation springen Zur Suche springen
Zeile 15: Zeile 15:


[https://github.com/CycloneDX/cyclonedx-maven-plugin OWASP Dependency Track - CycloneDX Plugin]
[https://github.com/CycloneDX/cyclonedx-maven-plugin OWASP Dependency Track - CycloneDX Plugin]
===== Multi-Module Build =====


<syntaxhighlight lang="xml">
<syntaxhighlight lang="xml">
Zeile 88: Zeile 90:


* [https://owasp.org/www-project-dependency-check/ OWASP Dependency Check]
* [https://owasp.org/www-project-dependency-check/ OWASP Dependency Check]
==== Multi-Module Build ====


<syntaxhighlight lang="xml">
<syntaxhighlight lang="xml">
Zeile 123: Zeile 127:


* [https://sonatype.github.io/ossindex-maven/maven-plugin/ Sonatype OSS Index]
* [https://sonatype.github.io/ossindex-maven/maven-plugin/ Sonatype OSS Index]
==== Multi-Module Build ====


<syntaxhighlight lang="xml">
<syntaxhighlight lang="xml">

Version vom 28. Juli 2020, 10:38 Uhr


Plugins

Security

OWASP Dependency Track

OWASP Dependency Track


CycloneDX Plugin

OWASP Dependency Track - CycloneDX Plugin

Multi-Module Build
<!-- ++++++++++ [OWASP Dependency Track - CycloneDX Plugin] ++++++++++ -->

<!-- CLI: mvn org.cyclonedx:cyclonedx-maven-plugin:makeBom -->
<!-- CLI: mvn cyclonedx:makeBom -->
<!-- CLI: mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom -->
<!-- CLI: mvn cyclonedx:makeAggregateBom -->
<plugin>
    <groupId>org.cyclonedx</groupId>
    <artifactId>cyclonedx-maven-plugin</artifactId>
    <version>1.6.4</version>
    <executions>
        <execution>
            <phase>verify</phase>
            <goals>
                <goal>makeAggregateBom</goal>
            </goals>
        </execution>
    </executions>
    <configuration>
        <schemaVersion>1.1</schemaVersion>
        <includeBomSerialNumber>true</includeBomSerialNumber>
        <includeCompileScope>true</includeCompileScope>
        <includeProvidedScope>true</includeProvidedScope>
        <includeRuntimeScope>true</includeRuntimeScope>
        <includeSystemScope>true</includeSystemScope>
        <includeTestScope>false</includeTestScope>
        <includeLicenseText>true</includeLicenseText>
        <includeDependencyGraph>true</includeDependencyGraph>
    </configuration>
    <inherited>false</inherited>
</plugin>


Upload Plugin

<!-- ++++++++++ [OWASP Dependency Track - Upload Plugin] ++++++++++ -->

<!-- Caution: The dependency-track-maven-plugin must be specified after the cyclonedx-maven-plugin.
Because both plugins are processed in the phase 'verify'. -->

<!-- CLI: mvn dependency-track:upload-bom  -->
<plugin>
    <groupId>io.github.pmckeown</groupId>
    <artifactId>dependency-track-maven-plugin</artifactId>
    <version>0.8.1</version>
    <executions>
        <execution>
            <phase>verify</phase>
            <goals>
                <goal>upload-bom</goal>
            </goals>
        </execution>
    </executions>
    <configuration>
        <dependencyTrackBaseUrl>http://...</dependencyTrackBaseUrl>
        <apiKey>${dependencytrack.apikey}</apiKey>
    </configuration>
    <inherited>false</inherited>
</plugin>


OWASP Dependency Check

Multi-Module Build

<!-- ++++++++++ [OWASP Dependency Check Plugin] ++++++++++ -->

<!-- CLI: mvn org.owasp:dependency-check-maven:check -->
<!-- CLI: mvn dependency-check:check -->
<!-- CLI: mvn org.owasp:dependency-check-maven:aggregate -->
<!-- CLI: dependency-check:aggregate -->
<!-- Caution: This plugin configuration (aggregated and non-inherited) requires, that the project have been installed -->
<!--          (mvn install) at least once. Otherwise the OWASP Dependency Check creates a virtual dependency tree. -->
<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <version>5.3.2</version>
    <configuration>
        <skipProvidedScope>false</skipProvidedScope>
        <skipRuntimeScope>false</skipRuntimeScope>
        <retireJsAnalyzerEnabled>false</retireJsAnalyzerEnabled>
    </configuration>
    <executions>
        <execution>
            <goals>
                <goal>aggregate</goal>
            </goals>
        </execution>
    </executions>
    <inherited>false</inherited>
</plugin>


Sonatype OSS Index

Multi-Module Build

<!-- ++++++++++ [Sonatype OSS Index Plugin] ++++++++++ -->

<!-- CLI: mvn org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -->
<!-- CLI: mvn ossindex:audit -->
<!-- CLI: mvn org.sonatype.ossindex.maven:ossindex-maven-plugin:audit-aggregate -->
<!-- CLI: mvn ossindex:audit-aggregate -->
<!-- Caution: This plugin configuration (aggregated and non-inherited) requires, that the project have been installed -->
<!--          (mvn install) at least once. Otherwise the OWASP Dependency Check creates a virtual dependency tree. -->
<plugin>
    <groupId>org.sonatype.ossindex.maven</groupId>
    <artifactId>ossindex-maven-plugin</artifactId>
    <version>3.1.0</version>
    <executions>
        <execution>
            <id>audit-dependencies</id>
            <phase>validate</phase>
            <goals>
                <goal>audit-aggregate</goal>
            </goals>
        </execution>
    </executions>
    <configuration>
        <fail>false</fail>
        <excludeCoordinates>
            <exclude>
                <groupId>de.servicetrace.gxt</groupId>
                <artifactId>inspinia</artifactId>
                <version>1.1.0</version>
            </exclude>
        </excludeCoordinates>
    </configuration>
    <inherited>false</inherited>
</plugin>


Abgerufen von „https://wiki.fam-hammann.de/index.php?title=Maven&oldid=552