Merge pull request #30179 from sberyozkin/owasp-dependency-check

Add an owasp-check profile

CONTRIBUTING.md

@@ -48,6 +48,7 @@ fixes, documentation, examples... But first, read this page (including the small
 * [Extensions](#extensions)
     + [Descriptions](#descriptions)
     + [Update dependencies to extensions](#update-dependencies-to-extensions)
+    + [Check security vulnerabilities](#check-security-vulnerabilities)
 * [The small print](#the-small-print)
 * [Frequently Asked Questions](#frequently-asked-questions)
 
@@ -694,6 +695,12 @@ were changed by the script.
 When removing an extension make sure to also remove all dependencies to it from all `pom.xml`. It's easy to miss this as
 long as the extension artifact is still present in your local Maven repository.
 
+### Check security vulnerabilities
+
+When adding a new extension or updating the dependencies of an existing one,
+it is recommended to run in the extension directory the [OWASP Dependency Check](https://jeremylong.github.io/DependencyCheck) with `mvn -Dowasp-check`
+so that known security vulnerabilities in the extension dependencies can be detected early.
+
 ## The small print
 
 This project is an open source project, please act responsibly, be nice, polite and enjoy!

build-parent/pom.xml

@@ -174,6 +174,7 @@
 
         <!-- google cloud functions invoker-->
         <gcf-invoker.version>1.1.1</gcf-invoker.version>
+        <owasp-dependency-check-plugin.version>7.4.4</owasp-dependency-check-plugin.version>
     </properties>
 
     <dependencyManagement>
@@ -721,6 +722,17 @@
                         </execution>
                     </executions>
                 </plugin>
+                <plugin>
+                    <groupId>org.owasp</groupId>
+                    <artifactId>dependency-check-maven</artifactId>
+                    <version>${owasp-dependency-check-plugin.version}</version>
+                    <configuration>
+                        <!-- Disable Net Analyzer -->
+                        <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
+                        <nugetconfAnalyzerEnabled>false</nugetconfAnalyzerEnabled>
+                        <nuspecAnalyzerEnabled>false</nuspecAnalyzerEnabled>
+                    </configuration>
+                </plugin>
             </plugins>
         </pluginManagement>
     </build>
@@ -1237,7 +1249,17 @@
                 </plugins>
             </build>
         </profile>
-
+        <profile>
+            <id>owasp-check</id>
+            <activation>
+                <property>
+                    <name>owasp-check</name>
+                </property>
+            </activation>
+            <build>
+                <defaultGoal>dependency-check:check</defaultGoal>
+            </build>
+        </profile>
         <profile>
             <id>Windows</id>
             <activation>

docs/src/main/asciidoc/security-overview-concept.adoc

@@ -345,7 +345,7 @@ To add the OWASP Dependency check plugin to your Quarkus Maven project, add the
 
 [IMPORTANT]
 ====
-Set the `owasp-dependency-check-plugin.version` value to `7.1.1` or later.
+Set the `owasp-dependency-check-plugin.version` value to `7.4.4` or later.
 ====
 
 Next, configure the plugin as follows: