猿问

回到首页 个人中心 反馈问题 注册登录
下载APP
首页 课程 实战 体系课 手记 专栏 慕课教程

无法在 Maven 中获得依赖项检查报告

我正在尝试获取我的 Maven 项目之一的依赖项检查报告,但每次运行时:


mvn verify

依赖关系报告中的依赖关系显示没有易受攻击的 JAR。


我在 POM 中添加了以下插件以生成依赖项检查报告:


 <dependencyManagement>

    <dependencies>

        <dependency>

        <groupId>org.apache.commons</groupId>

        <artifactId>commons-email</artifactId>

        <version>1.1</version>

    </dependency>

        <dependency>

            <groupId>apache.axis</groupId>

            <artifactId>jaxrpc</artifactId>

            <version>1.2beta</version>

            <scope>provided</scope>

        </dependency>

       <dependencies>

<dependencyManagement>

<build>

  <plugins>

    <plugin>

          <groupId>org.owasp</groupId>

          <artifactId>dependency-check-maven</artifactId>

          <version>3.3.2</version>

          <executions>

              <execution>

                  <goals>

                      <goal>check</goal>

                  </goals>

              </execution>

          </executions>

        </plugin>

  </plugins>

我需要纠正什么或有其他方法吗?commons-email-1.1.jar有一些漏洞,但仍然没有被检测到。


这些是 Maven 日志:


[INFO] Scanning for projects...

[INFO] Inspecting build with total of 1 modules...

[INFO] Installing Nexus Staging features:

[INFO]   ... total of 1 executions of maven-deploy-plugin replaced with 

nexus-staging-maven-plugin

[INFO]

[INFO]

[INFO] --- maven-clean-plugin:2.6.1:clean (default-clean) @ version-mana - 

 --

[INFO]

[INFO] --- maven-source-plugin:2.4:jar-no-fork (attach-sources) @ version- 

 mana ---

[INFO]

[INFO] --- maven-source-plugin:2.4:test-jar-no-fork (attach-sources) @ 

version-mana ---

[INFO]


慕码人8056858
浏览 254回答 2
2回答

摇曳的蔷薇

如果您有权访问 maven 存储库(在执行此命令时)并安装了 mvn/mvnw ,则可以从命令行执行此行。mvn&nbsp;org.owasp:dependency-check-maven:5.2.2:check“dependency-check-report.html”报告将在目标文件夹中生成。
0

慕的地10843

出于兴趣,我尝试了它,对我来说它正在工作:<project>&nbsp; &nbsp; <modelVersion>4.0.0</modelVersion>&nbsp; &nbsp; <groupId>test</groupId>&nbsp; &nbsp; <artifactId>test</artifactId>&nbsp; &nbsp; <version>1.0</version>&nbsp; &nbsp; <dependencies>&nbsp; &nbsp; &nbsp; &nbsp; <dependency>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <groupId>org.apache.commons</groupId>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <artifactId>commons-email</artifactId>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <version>1.1</version>&nbsp; &nbsp; &nbsp; &nbsp; </dependency>&nbsp; &nbsp; </dependencies>&nbsp; &nbsp; <build>&nbsp; &nbsp; &nbsp; &nbsp; <plugins>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <plugin>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <groupId>org.owasp</groupId>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <artifactId>dependency-check-maven</artifactId>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <version>3.3.3</version>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <executions>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <execution>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <goals>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <goal>check</goal>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </goals>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </execution>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </executions>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </plugin>&nbsp; &nbsp; &nbsp; &nbsp; </plugins>&nbsp; &nbsp; </build></project>依赖检查 Maven 告诉我:[INFO] Analysis Complete (1 seconds)[WARNING]&nbsp;One or more dependencies were identified with known vulnerabilities in test:commons-email-1.1.jar (org.apache.commons:commons-email:1.1, cpe:/a:apache:commons_email:1.1) : CVE-2017-9801, CVE-2018-1294See the dependency-check report for more details.您的依赖项部分看起来如何?例如,如果您为 commons-email 定义范围测试,则不会显示警告
0
打开App,查看更多内容
随时随地看视频慕课网APP

相关分类

Java