From 23ccc4d6db479197282434af89ae10d75bf7b8ae Mon Sep 17 00:00:00 2001
From: Sergey Beryozkin <sberyozkin@gmail.com>
Date: Wed, 4 Jan 2023 17:54:45 +0000
Subject: [PATCH] Add an owasp-check profile

---
 CONTRIBUTING.md                               |  7 ++++++
 build-parent/pom.xml                          | 24 ++++++++++++++++++-
 .../asciidoc/security-overview-concept.adoc   |  2 +-
 3 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 0dc547a4feba4..0a630125f7f29 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -48,6 +48,7 @@ fixes, documentation, examples... But first, read this page (including the small
 * [Extensions](#extensions)
     + [Descriptions](#descriptions)
     + [Update dependencies to extensions](#update-dependencies-to-extensions)
+    + [Check security vulnerabilities](#check-security-vulnerabilities)
 * [The small print](#the-small-print)
 * [Frequently Asked Questions](#frequently-asked-questions)
 
@@ -694,6 +695,12 @@ were changed by the script.
 When removing an extension make sure to also remove all dependencies to it from all `pom.xml`. It's easy to miss this as
 long as the extension artifact is still present in your local Maven repository.
 
+### Check security vulnerabilities
+
+When adding a new extension or updating the dependencies of an existing one,
+it is recommended to run in the extension directory the [OWASP Dependency Check](https://jeremylong.github.io/DependencyCheck) with `mvn -Dowasp-check`
+so that known security vulnerabilities in the extension dependencies can be detected early.
+
 ## The small print
 
 This project is an open source project, please act responsibly, be nice, polite and enjoy!
diff --git a/build-parent/pom.xml b/build-parent/pom.xml
index 2ff4c7496a5d0..ece649287c5ec 100644
--- a/build-parent/pom.xml
+++ b/build-parent/pom.xml
@@ -172,6 +172,7 @@
 
         <!-- google cloud functions invoker-->
         <gcf-invoker.version>1.1.1</gcf-invoker.version>
+        <owasp-dependency-check-plugin.version>7.4.4</owasp-dependency-check-plugin.version>
     </properties>
 
     <dependencyManagement>
@@ -719,6 +720,17 @@
                         </execution>
                     </executions>
                 </plugin>
+                <plugin>
+                    <groupId>org.owasp</groupId>
+                    <artifactId>dependency-check-maven</artifactId>
+                    <version>${owasp-dependency-check-plugin.version}</version>
+                    <configuration>
+                        <!-- Disable Net Analyzer -->
+                        <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
+                        <nugetconfAnalyzerEnabled>false</nugetconfAnalyzerEnabled>
+                        <nuspecAnalyzerEnabled>false</nuspecAnalyzerEnabled>
+                    </configuration>
+                </plugin>
             </plugins>
         </pluginManagement>
     </build>
@@ -1235,7 +1247,17 @@
                 </plugins>
             </build>
         </profile>
-
+        <profile>
+            <id>owasp-check</id>
+            <activation>
+                <property>
+                    <name>owasp-check</name>
+                </property>
+            </activation>
+            <build>
+                <defaultGoal>dependency-check:check</defaultGoal>
+            </build>
+        </profile>
         <profile>
             <id>Windows</id>
             <activation>
diff --git a/docs/src/main/asciidoc/security-overview-concept.adoc b/docs/src/main/asciidoc/security-overview-concept.adoc
index 2af860fe09c56..5191ba2866dc2 100644
--- a/docs/src/main/asciidoc/security-overview-concept.adoc
+++ b/docs/src/main/asciidoc/security-overview-concept.adoc
@@ -344,7 +344,7 @@ To add the OWASP Dependency check plugin to your Quarkus Maven project, add the
 
 [IMPORTANT]
 ====
-Set the `owasp-dependency-check-plugin.version` value to `7.1.1` or later.
+Set the `owasp-dependency-check-plugin.version` value to `7.4.4` or later.
 ====
 
 Next, configure the plugin as follows: