Documentation Index
Fetch the complete documentation index at: https://guide.codepure.com/llms.txt
Use this file to discover all available pages before exploring further.
Common Misconfigurations
- Using outdated versions with known CVEs
- Not regularly updating dependencies
- Ignoring security warnings from dependency scanners
- Using dependencies without checking their security history
- Not implementing a dependency update policy
Vulnerable Example
<!-- pom.xml with vulnerable dependencies -->
<dependencies>
<!-- Log4j vulnerability (CVE-2021-44228) -->
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.14.1</version> <!-- Vulnerable version -->
</dependency>
<!-- Spring Framework vulnerability (CVE-2022-22965) -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>5.3.17</version> <!-- Vulnerable version -->
</dependency>
<!-- Jackson Databind vulnerability -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.9.10</version> <!-- Multiple CVEs -->
</dependency>
</dependencies>
Secure Solution
<!-- pom.xml with patched dependencies -->
<dependencies>
<!-- Updated Log4j to secure version -->
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.21.1</version> <!-- Secure version -->
</dependency>
<!-- Updated Spring Framework -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>6.1.2</version> <!-- Secure version -->
</dependency>
<!-- Updated Jackson Databind -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.16.1</version> <!-- Secure version -->
</dependency>
</dependencies>
<!-- Add dependency management for version control -->
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>3.2.1</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
Key Commands for Updating
These commands help you identify and manage your project’s dependencies. Many require the Versions Maven Plugin.
1. Check for Dependency Updates
This is the most useful command. It scans your pom.xml and compares your versions to the latest available ones in the remote repositories.
mvn versions:display-dependency-updates
2. View the Dependency Tree
This command prints the complete tree of all dependencies, including transitive dependencies (dependencies of your dependencies). It’s essential for finding where a vulnerable package is being introduced.
To find a specific package in the tree, you can filter it:
# Example: Find where log4j-core is coming from
mvn dependency:tree -Dincludes=org.apache.logging.log4j:log4j-core
3. Automatically Update the POM
The Versions plugin can also modify your pom.xml file to use the latest versions.
# Updates to the latest non-breaking release
mvn versions:use-latest-releases
# Updates to the absolute latest version (can include breaking changes)
mvn versions:use-latest-versions
display-dependency-updates and update the versions manually.
4. Run an OWASP Security Scan
This command runs the OWASP Dependency Check plugin, which scans your dependencies and generates a report of all known CVEs.
mvn org.owasp:dependency-check-maven:check
pom.xml’s <build> section first for more advanced usage.
5. Analyze Dependencies
This command checks for dependencies that are declared in your pom.xml but not actually used, and vice-versa. This helps keep your pom.xml clean.
Best Practices
- Use tools like OWASP Dependency Check or Snyk.
- Configure automated dependency updates with Dependabot.
- Regularly audit dependencies using
mvn dependency:tree.
- Implement security scanning in CI/CD pipeline.
