Enforcer Rules
Apache Maven Enforcer Rules for Sonatype OSS Index
Audit a project dependencies using Sonatype OSS Index invoked via Apache Maven Enforcer Plugin.
Requirements
- Java 7+ (version 10 is NOT supported)
- Apache Maven 3.1+
- Apache Maven Enforcer Plugin 3+
Dependency
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.sonatype.ossindex.maven</groupId>
<artifactId>ossindex-maven-enforcer-rules</artifactId>
<version>3.1.0</version>
</dependency>
</dependencies>
</dependencyManagement>Ban Vulnerable Dependencies
To ban vulnerable dependencies from being consumed by builds:
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<dependencies>
<dependency>
<groupId>org.sonatype.ossindex.maven</groupId>
<artifactId>ossindex-maven-enforcer-rules</artifactId>
</dependency>
</dependencies>
<executions>
<execution>
<id>vulnerability-checks</id>
<phase>validate</phase>
<goals>
<goal>enforce</goal>
</goals>
<configuration>
<rules>
<banVulnerable implementation="org.sonatype.ossindex.maven.enforcer.BanVulnerableDependencies"/>
</rules>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>Parameters
| Parameter | Type | Description | Default Value |
|---|---|---|---|
| scope | String | Limit scope of dependency resolution. | |
| transitive | Boolean | Include transitive dependencies | true |
| cvssScoreThreshold | Float | CVSS-score threshold. Vulnerabilities with lower scores will be excluded. | 0.0 |
| excludeCoordinates | Set of MavenCoordinates | Set of coordinates to exclude from vulnerability matching. | |
| excludeVulnerabilityIds | Set of String | Set of vulnerability identifiers to exclude from matching. | |
| level | String | Levels steering whether a rule should fail a build (ERROR) or just display a warning (WARN). |
ERROR |
| clientConfiguration | OssindexClientConfiguration | Client configuration. | |
| authId | String | Set client authentication from Maven settings server configuration. |
Features
| Enforcer Rules: Excludes | |
| Enforcer Rules: Fail or Warn |