DependencyCheck<\/a> erg\u00e4nzen:<\/p>\n\r\n\r\n<!-- https:\/\/jeremylong.github.io\/DependencyCheck\/dependency-check-maven\/index.html -->\r\n\t\t\t <plugin>\r\n <groupId>org.owasp<\/groupId>\r\n <artifactId>dependency-check-maven<\/artifactId>\r\n <version>3.0.1<\/version>\r\n <executions>\r\n <execution>\r\n <goals>\r\n <goal>check<\/goal>\r\n <\/goals>\r\n <\/execution>\r\n <\/executions>\r\n <\/plugin>\r\n<\/pre>\nDann ein mvn install<\/strong> oder auch direkt ein mvn org.owasp:dependency-check-maven:1.4.0:aggregate<\/strong> ausf\u00fchren, hier ein Auszug:<\/p>\n[INFO] --- dependency-check-maven:3.0.1:check (default) @ de.wenzlaff.umgebung ---\r\n[INFO] Checking for updates\r\n[INFO] starting getUpdatesNeeded() ...\r\n[INFO] Download Started for NVD CVE - Modified\r\n[INFO] Download Complete for NVD CVE - Modified (7283 ms)\r\n[INFO] Processing Started for NVD CVE - Modified\r\n[INFO] Processing Complete for NVD CVE - Modified (5306 ms)\r\n[INFO] Begin database maintenance.\r\n[INFO] End database maintenance.\r\n[INFO] Check for updates complete (18259 ms)\r\n[INFO] Analysis Started\r\n[INFO] Finished Archive Analyzer (0 seconds)\r\n[INFO] Finished File Name Analyzer (0 seconds)\r\n[INFO] Finished Jar Analyzer (0 seconds)\r\n[INFO] Finished Central Analyzer (3 seconds)\r\n[INFO] Finished Dependency Merging Analyzer (0 seconds)\r\n[INFO] Finished Version Filter Analyzer (0 seconds)\r\n[INFO] Finished Hint Analyzer (0 seconds)\r\n[INFO] Created CPE Index (1 seconds)\r\n[INFO] Finished CPE Analyzer (1 seconds)\r\n[INFO] Finished False Positive Analyzer (0 seconds)\r\n[INFO] Finished Cpe Suppression Analyzer (0 seconds)\r\n[INFO] Finished NVD CVE Analyzer (0 seconds)\r\n[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)\r\n[INFO] Finished Dependency Bundling Analyzer (0 seconds)\r\n[INFO] Analysis Complete (5 seconds)\r\n[WARNING] \r\n\r\nOne or more dependencies were identified with known vulnerabilities in RestUmgebung:\r\n\r\njackson-dataformat-xml-2.4.4.jar (cpe:\/a:fasterxml:jackson:2.4.4, com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.4.4) : CVE-2016-7051, CVE-2016-3720\r\n\r\nSee the dependency-check report for more details.\r\n\r\n[INFO] \r\n[INFO] --- maven-install-plugin:2.4:install (default-install) @ de.wenzlaff.umgebung ---\r\n[INFO] Installing \/Users\/..\/target\/de.wenzlaff.umgebung-1.0-SNAPSHOT.jar to \/Users\/..\/.m2\/repository\/de\/wenzlaff\/umgebung\/de.wenzlaff.umgebung\/1.0-SNAPSHOT\/de.wenzlaff.umgebung-1.0-SNAPSHOT.jar\r\n[INFO] Installing \/Users\/...\/TWRestUmgebung\/pom.xml to \/Users\/thomaswenzlaff\/.m2\/repository\/de\/wenzlaff\/umgebung\/de.wenzlaff.umgebung\/1.0-SNAPSHOT\/de.wenzlaff.umgebung-1.0-SNAPSHOT.pom\r\n[INFO] ------------------------------------------------------------------------\r\n[INFO] BUILD SUCCESS\r\n[INFO] ------------------------------------------------------------------------\r\n[INFO] Total time: 36.106 s\r\n[INFO] Finished at: 2017-10-24T23:27:58+02:00\r\n[INFO] Final Memory: 34M\/577M\r\n[INFO] ------------------------------------------------------------------------\r\n<\/pre>\nBeim ersten mal kann es schon ein paar Minuten dauern, da die ganze DB in das lokale .m Repo geladen werden muss. Beim zweiten mal geht es dannn schneller, da nur noch ein update gefahren wird. Und schon liegt der HTML-Report (wie oben) im target<\/strong> Verzeichnis und kann mit einem Browser ge\u00f6ffnet und analysiert werden.<\/p>\n","protected":false},"excerpt":{"rendered":"Sicherheit in Java-Projekten. Datenlecks in Java-Code entdecken. Reports mit bekannten Sicherheitslecks k\u00f6nnen leicht erstellt werden. Hier mal ein Beispiel Report im HTML Format: Grundlage bildet die National Vulnerability Database (NVD) Datenbank f\u00fcr Sicherheitsl\u00fccken, die vom National Institute of Standards and Technology (NIST) gepflegt wird. Wie k\u00f6nnen solche Reports erstellt werden? Einfach in der Maven pom.xml … <\/p>\n
\u201eAutomatische \u00dcberpr\u00fcfung auf Sicherheitsl\u00fccken im Java Code auf Basis der Internationalen National Vulnerability Database (NVD)\u201c <\/span>weiterlesen<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_import_markdown_pro_load_document_selector":0,"_import_markdown_pro_submit_text_textarea":"","footnotes":""},"categories":[79,1319,2713,2658,7],"tags":[999,3040,3041,1722,2178,66,2099,1261,176],"class_list":["post-9067","post","type-post","status-publish","format-standard","hentry","category-programmierung","category-sicherheit-2","category-statistik","category-test-thema","category-tools","tag-check","tag-dependency","tag-dependency-check","tag-html","tag-java","tag-maven","tag-mvn","tag-report","tag-sicherheit"],"_links":{"self":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/posts\/9067","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=9067"}],"version-history":[{"count":0,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/posts\/9067\/revisions"}],"wp:attachment":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=9067"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=9067"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=9067"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"http:\/\/blog.wenzlaff.de\/wp-content\/uploads\/2017\/10\/Bildschirmfoto-2017-10-24-um-18.45.27.png\")
<\/a><\/p>\n