This closes #767

2016-09-13 17:06:25 +01:00 · 2016-09-13 17:06:25 +01:00 · 509e36eb84
parent e81d101610 1fac2df198
commit 509e36eb84
2 changed files with 58 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -44,4 +44,10 @@ If you are trying to copy the examples somewhere else and modifying them. Consid
    # if trying to modify the 'topic' example:
    cd examples/jms/topic && mvn dependency:list

+### Open Web Application Security Project (OWASP) Report

+If you wish to generate the report for CCV dependencies, you may run it with the -Powasp profile
+
+    $ mvn -Powasp verify
+
+The output will be under ./target/dependency-check-report.html **for each** sub-module.
--- a/pom.xml
+++ b/pom.xml
@ -86,6 +86,7 @@
      <qpid.jms.version>0.11.0</qpid.jms.version>
      <johnzon.version>0.9.5</johnzon.version>
      <json-p.spec.version>1.0-alpha-1</json-p.spec.version>
+      <owasp.version>1.4.3</owasp.version>

      <activemq.version.versionName>${project.version}</activemq.version.versionName>
      <activemq.version.majorVersion>1</activemq.version.majorVersion>
@ -138,6 +139,7 @@
      <activemq.basedir>${project.basedir}</activemq.basedir>
      <skipLicenseCheck>true</skipLicenseCheck>
      <skipStyleCheck>true</skipStyleCheck>
+      <skipOWASP>true</skipOWASP>
      <geronimo.jms.2.spec.version>1.0-alpha-2</geronimo.jms.2.spec.version>

      <javac-compiler-id>javac-with-errorprone</javac-compiler-id>
@ -302,6 +304,19 @@
         </dependency>
         <!-- ### End Build Time Dependencies ### -->

+         <dependency>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-core</artifactId>
+            <version>${owasp.version}</version>
+            <!-- License: Apache 2.0 -->
+         </dependency>
+         <dependency>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-utils</artifactId>
+            <version>${owasp.version}</version>
+            <!-- License: Apache 2.0 -->
+         </dependency>
+
         <!-- ### Run Time Dependencies: MUST NOT INCLUDE CAT X LICENSES ###-->
         <dependency>
            <groupId>org.fusesource.hawtbuf</groupId>
@ -608,6 +623,12 @@
            </plugins>
         </build>
      </profile>
+      <profile>
+         <id>owasp</id>
+         <properties>
+            <skipOWASP>false</skipOWASP>
+         </properties>
+      </profile>
      <profile>
         <id>dev</id>
         <modules>
@ -1208,6 +1229,24 @@
            <version>3.0.0</version>
            <extensions>true</extensions>
         </plugin>
+         <plugin>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-maven</artifactId>
+            <version>${owasp.version}</version>
+            <configuration>
+                <skip>${skipOWASP}</skip>
+                <!-- <skipProvidedScope>true</skipProvidedScope>
+                <skipRuntimeScope>true</skipRuntimeScope> -->
+            </configuration>
+            <executions>
+               <execution>
+                  <goals>
+                     <goal>check</goal>
+                  </goals>
+               </execution>
+            </executions>
+         </plugin>
+
      </plugins>
   </build>

@ -1269,6 +1308,19 @@
            <artifactId>maven-surefire-report-plugin</artifactId>
            <version>2.14.1</version>
         </plugin>
+         <plugin>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-maven</artifactId>
+            <version>${owasp.version}</version>
+            <reportSets>
+               <reportSet>
+                  <reports>
+                     <report>aggregate</report>
+                  </reports>
+               </reportSet>
+            </reportSets>
+         </plugin>
+
      </plugins>
   </reporting>