Maven
Version vom 28. Juli 2020, 10:38 Uhr von Jochen (Diskussion | Beiträge)
Plugins
Security
OWASP Dependency Track
CycloneDX Plugin
OWASP Dependency Track - CycloneDX Plugin
Multi-Module Build
<!-- ++++++++++ [OWASP Dependency Track - CycloneDX Plugin] ++++++++++ -->
<!-- CLI: mvn org.cyclonedx:cyclonedx-maven-plugin:makeBom -->
<!-- CLI: mvn cyclonedx:makeBom -->
<!-- CLI: mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom -->
<!-- CLI: mvn cyclonedx:makeAggregateBom -->
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<version>1.6.4</version>
<executions>
<execution>
<phase>verify</phase>
<goals>
<goal>makeAggregateBom</goal>
</goals>
</execution>
</executions>
<configuration>
<schemaVersion>1.1</schemaVersion>
<includeBomSerialNumber>true</includeBomSerialNumber>
<includeCompileScope>true</includeCompileScope>
<includeProvidedScope>true</includeProvidedScope>
<includeRuntimeScope>true</includeRuntimeScope>
<includeSystemScope>true</includeSystemScope>
<includeTestScope>false</includeTestScope>
<includeLicenseText>true</includeLicenseText>
<includeDependencyGraph>true</includeDependencyGraph>
</configuration>
<inherited>false</inherited>
</plugin>
Upload Plugin
<!-- ++++++++++ [OWASP Dependency Track - Upload Plugin] ++++++++++ -->
<!-- Caution: The dependency-track-maven-plugin must be specified after the cyclonedx-maven-plugin.
Because both plugins are processed in the phase 'verify'. -->
<!-- CLI: mvn dependency-track:upload-bom -->
<plugin>
<groupId>io.github.pmckeown</groupId>
<artifactId>dependency-track-maven-plugin</artifactId>
<version>0.8.1</version>
<executions>
<execution>
<phase>verify</phase>
<goals>
<goal>upload-bom</goal>
</goals>
</execution>
</executions>
<configuration>
<dependencyTrackBaseUrl>http://...</dependencyTrackBaseUrl>
<apiKey>${dependencytrack.apikey}</apiKey>
</configuration>
<inherited>false</inherited>
</plugin>
OWASP Dependency Check
Multi-Module Build
<!-- ++++++++++ [OWASP Dependency Check Plugin] ++++++++++ -->
<!-- CLI: mvn org.owasp:dependency-check-maven:check -->
<!-- CLI: mvn dependency-check:check -->
<!-- CLI: mvn org.owasp:dependency-check-maven:aggregate -->
<!-- CLI: dependency-check:aggregate -->
<!-- Caution: This plugin configuration (aggregated and non-inherited) requires, that the project have been installed -->
<!-- (mvn install) at least once. Otherwise the OWASP Dependency Check creates a virtual dependency tree. -->
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>5.3.2</version>
<configuration>
<skipProvidedScope>false</skipProvidedScope>
<skipRuntimeScope>false</skipRuntimeScope>
<retireJsAnalyzerEnabled>false</retireJsAnalyzerEnabled>
</configuration>
<executions>
<execution>
<goals>
<goal>aggregate</goal>
</goals>
</execution>
</executions>
<inherited>false</inherited>
</plugin>
Sonatype OSS Index
Multi-Module Build
<!-- ++++++++++ [Sonatype OSS Index Plugin] ++++++++++ -->
<!-- CLI: mvn org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -->
<!-- CLI: mvn ossindex:audit -->
<!-- CLI: mvn org.sonatype.ossindex.maven:ossindex-maven-plugin:audit-aggregate -->
<!-- CLI: mvn ossindex:audit-aggregate -->
<!-- Caution: This plugin configuration (aggregated and non-inherited) requires, that the project have been installed -->
<!-- (mvn install) at least once. Otherwise the OWASP Dependency Check creates a virtual dependency tree. -->
<plugin>
<groupId>org.sonatype.ossindex.maven</groupId>
<artifactId>ossindex-maven-plugin</artifactId>
<version>3.1.0</version>
<executions>
<execution>
<id>audit-dependencies</id>
<phase>validate</phase>
<goals>
<goal>audit-aggregate</goal>
</goals>
</execution>
</executions>
<configuration>
<fail>false</fail>
<excludeCoordinates>
<exclude>
<groupId>de.servicetrace.gxt</groupId>
<artifactId>inspinia</artifactId>
<version>1.1.0</version>
</exclude>
</excludeCoordinates>
</configuration>
<inherited>false</inherited>
</plugin>