无法在Maven中获取依赖项检查报告

Question

我试图获取我的一个Maven项目的依赖检查报告，但是每次运行时：

mvn verify

依赖项报告中的

依赖项没有显示易受攻击的JAR。

我在POM中添加了以下插件以生成依赖性检查报告：

 <dependencyManagement>
    <dependencies>
        <dependency>
        <groupId>org.apache.commons</groupId>
        <artifactId>commons-email</artifactId>
        <version>1.1</version>
    </dependency>
        <dependency>
            <groupId>apache.axis</groupId>
            <artifactId>jaxrpc</artifactId>
            <version>1.2beta</version>
            <scope>provided</scope>
        </dependency>
       <dependencies>
<dependencyManagement>
<build>
  <plugins>
    <plugin>
          <groupId>org.owasp</groupId>
          <artifactId>dependency-check-maven</artifactId>
          <version>3.3.2</version>
          <executions>
              <execution>
                  <goals>
                      <goal>check</goal>
                  </goals>
              </execution>
          </executions>
        </plugin>
  </plugins>

我需要纠正什么或还有其他方法？ commons-email-1.1.jar有一些漏洞，但仍未被发现。

这些是Maven日志：

[INFO] Scanning for projects...
[INFO] Inspecting build with total of 1 modules...
[INFO] Installing Nexus Staging features:
[INFO]   ... total of 1 executions of maven-deploy-plugin replaced with 
nexus-staging-maven-plugin
[INFO]
[INFO]
[INFO] --- maven-clean-plugin:2.6.1:clean (default-clean) @ version-mana - 
 --
[INFO]
[INFO] --- maven-source-plugin:2.4:jar-no-fork (attach-sources) @ version- 
 mana ---
[INFO]
[INFO] --- maven-source-plugin:2.4:test-jar-no-fork (attach-sources) @ 
version-mana ---
[INFO]
[INFO] --- dependency-check-maven:3.3.2:check (default) @ version-mana ---
[INFO] Central analyzer disabled
[INFO] Checking for updates
[INFO] Skipping NVD check since last check was within 4 hours.
[INFO] Skipping RetireJS update since last update was within 24 hours.
[INFO] Check for updates complete (31 ms)
[INFO] Analysis Started
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Skipping CPE Analysis for npm
[INFO] Finished CPE Analyzer (1 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (1 seconds)

Answer 1

出于兴趣我尝试了它，对我来说它正在起作用：

monitoredRegions

dependency-check-maven告诉我：

<project>
    <modelVersion>4.0.0</modelVersion>
    <groupId>test</groupId>
    <artifactId>test</artifactId>
    <version>1.0</version>

    <dependencies>
        <dependency>
            <groupId>org.apache.commons</groupId>
            <artifactId>commons-email</artifactId>
            <version>1.1</version>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>3.3.3</version>
                <executions>
                    <execution>
                        <goals>
                            <goal>check</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
</project>

您的依存关系部分看起来如何？例如，如果您为commons-email定义范围测试，则不会显示警告。

Answer 2

假设您有权访问maven存储库（在执行此命令时）并从命令行安装了mvn / mvnw，则可以执行此行。

mvn org.owasp:dependency-check-maven:5.2.2:check

“ dependency-check-report.html”报告将在目标文件夹中生成。