Include plugin for local scan:
grouId: org.owasp
artifactId: dependency-check-maven
version: 8.1.0
executions, execution, goals, goal: check
Generate the report:
mvn dependency-check:check
Compare with external reports and verify that the project own dependencies are present, sometimes the external scan can be executed over a docker image that can include other Java applications.
To list the application dependencies, run:
mvn dependency:tree
Check your current Spring Boot Version, and see if in the same minor version are a newer release, you can verify the current stable versions in: https://start.spring.io
After updating the libraries run the reports again.
For the remaining vulnerable libraries you have to update the specific version, to do that, get the "Effective POM" executing:
mvn help:effective-pom
It will display the full POM including the parts from the parents POMs.
Upgrade the versions using the values of the properties for each vulnerable dependency when is inherit from the parent POM, otherwise, update the versions directly in the dependency elements.
Tags java spring