Updated maven-dependency-check-plugin to current version 5.1.0 and failing at a cvss score above 8.9 (h2 should be updated). The dependency-check can be performed using 'mvn dependency-check:check' and is integrated into 'mvn site'.

Wolfram Lutz · Wolfram Lutz · commit b6404e092ab8 · 2019-07-18T10:45:27.000+02:00
diff --git a/pom.xml b/pom.xml
@@ -36,6 +36,13 @@
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
     <maven.compiler.source>1.8</maven.compiler.source>
     <maven.compiler.target>1.8</maven.compiler.target>
+
+    <maven-dependency-check.version>5.1.0</maven-dependency-check.version>
+    <!-- USING HTML,XML (comma-separated list) did not work with plugin version 5.1.0 -->
+    <maven-dependency-check.format>ALL</maven-dependency-check.format>
+    <maven-dependency-check.failOnError>true</maven-dependency-check.failOnError>
+    <!-- 11 is the default -->
+    <maven-dependency-check.failBuildOnCVSS>8.9</maven-dependency-check.failBuildOnCVSS>
   </properties>
 
   <dependencies>
@@ -112,6 +119,29 @@
           </execution>
         </executions>
       </plugin>
+
+      <!-- see https://jeremylong.github.io/DependencyCheck/summary.html -->
+      <!-- https://mvnrepository.com/artifact/org.owasp/dependency-check-maven -->
+      <plugin>
+        <groupId>org.owasp</groupId>
+        <artifactId>dependency-check-maven</artifactId>
+        <version>${maven-dependency-check.version}</version>
+        <configuration>
+          <format>${maven-dependency-check.format}</format>
+          <failOnError>${maven-dependency-check.failOnError}</failOnError>
+          <failBuildOnCVSS>${maven-dependency-check.failBuildOnCVSS}</failBuildOnCVSS>
+          <outputDirectory>target/site</outputDirectory>
+          <!--suppressionFile>${project.basedir}/dependency-check-report_suppressions.xml</suppressionFile-->
+        </configuration>
+        <executions>
+          <execution>
+            <goals>
+              <goal>check</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+
     </plugins>
   </build>
 
@@ -125,9 +155,10 @@
       </plugin>
 
       <plugin>
+        <!-- https://mvnrepository.com/artifact/org.owasp/dependency-check-maven -->
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-maven</artifactId>
-        <version>5.0.0-M2</version>
+        <version>${maven-dependency-check.version}</version>
         <reportSets>
           <reportSet>
             <reports>
@@ -136,9 +167,11 @@
           </reportSet>
         </reportSets>
         <configuration>
-          <failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
-          <failBuildOnCVSS>8</failBuildOnCVSS>
-          <!-- <suppressionFile>dependency-check-report_suppressions.xml</suppressionFile> -->
+          <format>${maven-dependency-check.format}</format>
+          <failOnError>${maven-dependency-check.failOnError}</failOnError>
+          <failBuildOnCVSS>${maven-dependency-check.failBuildOnCVSS}</failBuildOnCVSS>
+          <outputDirectory>target/site</outputDirectory>
+          <!--suppressionFile>${project.basedir}/dependency-check-report_suppressions.xml</suppressionFile-->
         </configuration>
       </plugin>
     </plugins>
