[OWASP-Security101] Getting a list of high risk CVE from my local Maven repositry

Richard Kolb rjdkolb at gmail.com
Wed Nov 18 15:57:00 UTC 2015


Hi Jim,

Thanks, I have been using the Maven plugin for quite a while.
It's great for a single project. :)

I've tried my hand at Jeremy Long's Engine
<https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java>
that can traverse my local file system.

I can potentially use a web crawler to download the entire Maven repo and
then parse it on my local file system.Ugly, but it could work.

regards,
Richard.

On 18 Nov 2015 17:39, "Jim Manico" <jim.manico at owasp.org> wrote:

> Try this project
>
> https://www.owasp.org/index.php/OWASP_Dependency_Check
>
> On 11/18/15 2:56 AM, Richard Kolb wrote:
>
>> Hello,
>>
>> I know there has been a lot of research on the Java libraries with common
>> vulnerabilities in Maven Central.
>>
>> My company has a private Nexus repository where only manually selected are
>> uploaded.
>>
>> My question is, can I get a list of dependencies in my company's Nexus
>> that
>> are vulnerable to high risk common vulnerabilities.
>>
>> Perhaps this can be done using the Nexus Maven repository index ?
>>
>> When I have a list, we can manually delete the older libraries and reduce
>> the possible attack surface of our company. Invaluable !
>>
>> thanks,
>> Richard.
>> _______________________________________________
>> Security101 mailing list
>> Security101 at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/security101
>> List Run By OWASP
>> List Admin: Michael.Coates at owasp.org
>>
>
> --
> Jim Manico
> Global Board Member
> OWASP Foundation
> https://www.owasp.org
>
>


More information about the Security101 mailing list