org.openrewrite.java.dependencies.DependencyVulnerabilityCheck
This is a software composition analysis (SCA) tool which detects publicly disclosed vulnerabilities. If vulnerabilities are found, it will generate a report linking to the associated CVE entries. Vulnerability information comes from the GitHub Security Advisory Database, which aggregates vulnerability data from several public databases, including the National Vulnerability Database maintained by the United States government. Dependencies following Semantic Versioning will see their patch version updated where applicable.
GitHub, Issue Tracker, Maven Central
- groupId: org.openrewrite.recipe
- artifactId: rewrite-java-dependencies
- version: 1.0.1
| Type | Name | Description |
|---|---|---|
String |
scope | Match dependencies with the specified scope |
Boolean |
overrideManagedVersion | Optional. This flag can be set to explicitly override a managed dependency's version. The default for this flag is false. |
Boolean |
addMarkers | Optional. Report each vulnerability in search results. If this is off, it is easier to see suggested changes. |
Data Tables (Only available on the Moderne platform)
Contains a vulnerability report the affected artifact and the vulnerability's CVE information.
| Column Name | Description |
|---|---|
| CVE | The CVE number. |
| Group | The first part of a dependency coordinate com.google.guava:guava:VERSION. |
| Artifact | The second part of a dependency coordinate com.google.guava:guava:VERSION. |
| Version | The resolved version. |
| Fixed in version | The minimum version that is no longer vulnerable. |
| Fixable with version update only | Whether the vulnerability is likely to be fixed by increasing the dependency version only, with no code modifications required. This is a heuristic which assumes that the dependency is accurately versioned according to semver. |
| Summary | The summary of the CVE. |
| Base score | The calculated base score. |
| Depth | Zero for direct dependencies. |
This recipe has required configuration parameters. Recipes with required configuration parameters cannot be activated directly. To activate this recipe you must create a new recipe which fills in the required parameters. In your rewrite.yml create a new recipe with a unique name. For example: com.yourorg.DependencyVulnerabilityCheckExample.
Here's how you can define and customize such a recipe within your rewrite.yml:
{% code title="rewrite.yml" %}
---
type: specs.openrewrite.org/v1beta/recipe
name: com.yourorg.DependencyVulnerabilityCheckExample
displayName: Check for dependency vulnerabilities example
recipeList:
- org.openrewrite.java.dependencies.DependencyVulnerabilityCheck:
scope: compile
overrideManagedVersion: false
addMarkers: null{% endcode %}
Now that com.yourorg.DependencyVulnerabilityCheckExample has been defined activate it and take a dependency on org.openrewrite.recipe:rewrite-java-dependencies:1.0.1 in your build file:
{% tabs %}
{% tab title="Gradle" %}
{% code title="build.gradle" %}
plugins {
id("org.openrewrite.rewrite") version("6.1.4")
}
rewrite {
activeRecipe("com.yourorg.DependencyVulnerabilityCheckExample")
}
repositories {
mavenCentral()
}
dependencies {
rewrite("org.openrewrite.recipe:rewrite-java-dependencies:1.0.1")
}{% endcode %} {% endtab %} {% tab title="Maven" %} {% code title="pom.xml" %}
<project>
<build>
<plugins>
<plugin>
<groupId>org.openrewrite.maven</groupId>
<artifactId>rewrite-maven-plugin</artifactId>
<version>5.2.4</version>
<configuration>
<activeRecipes>
<recipe>com.yourorg.DependencyVulnerabilityCheckExample</recipe>
</activeRecipes>
</configuration>
<dependencies>
<dependency>
<groupId>org.openrewrite.recipe</groupId>
<artifactId>rewrite-java-dependencies</artifactId>
<version>1.0.1</version>
</dependency>
</dependencies>
</plugin>
</plugins>
</build>
</project>
{% endcode %} {% endtab %} {% endtabs %}
The community edition of the Moderne platform enables you to easily run recipes across thousands of open-source repositories.
Please contact Moderne for more information about safely running the recipes on your own codebase in a private SaaS.