Top 3 Maven Plugins To Ensure Quality and Security

Last Updated:  August 3, 2022 | Published: November 4, 2019

Detecting vulnerabilities inside our dependencies is crucial for creating robust, reliable, and secure applications. Besides that, static code analysis tools and pre-defined rules can help us maintain a healthy and qualitative code base. Fortunately, there are Maven plugins available to automate this within our build. With this blog post, I'll demonstrate my top three Maven plugins to ensure both quality and security for Java projects.

Maven Project to Demonstrate the Plugins

To see these three Maven plugins in action I've created a Spring Boot Maven project using Java 11 and the following dependencies:

Besides the standard Java class to start the Spring Boot application, the project consists of one Java class to read a file and print the output on startup:

This class acts as a negative example to demonstrate the usage of one Maven plugin later on.

Maven Enforcer Plugin

The Maven Enforcer plugin enables us to check several pre-defined rules for our project. This can be as simple as checking the Java, Maven, or OS version during build time (find a list of all rules here).

Similarly, we can use this plugin to blacklist a set of dependencies that are banned from our project. A good use case for this might be after the transition from JUnit 4 to JUnit 5. Once all our tests are using JUnit 5, we can exclude the JUnit 4 dependencies and create a rule so that other teammates might not include it again by accident (and potentially mix JUnit 4 and 5, which is one of the most common Spring Boot testing pitfalls).

Next, we can use the dependencyConvergence rule from the Maven Enforcer plugin to ensure there is only one version of a dependency available in our project. Once our project grows and includes more dependencies, there might be two dependencies pulling in a different version of Jackson, for example. This can lead to issues during runtime whenever we rearrange our dependencies, update the versions or remove dependencies (watch this video for a deep dive on how Maven handles dependency version conflicts).

To detect such scenarios, the dependencyConvergence rule will fail whenever there a transitive dependency is included with different versions. We can then fix this by either pinning the dependency version inside the dependencyManagement or by excluding it from one dependency.

We add this plugin to our project like the following:

Once we run mvn verify or mvn enforcer:enforce , our configured rules checked. If one of the rules fail, our build is stopped, and Maven reports a build failure.

OWASP Dependency-Check to ensure dependency quality

The more dependencies we add to our project, the more likely we have to handle Common Vulnerabilities and Exposures (CVE). Manually checking the CVE database for new issues is cumbersome.

Fortunately, there is a Maven plugin to do this during build time: OWASP Dependency-Check Maven plugin. This plugin analyzes all our dependencies and either fail the build (if configured) or produce log warnings once one of our dependency is part of a CVE.

Please note that the vulnerabilities are downloaded from the National Vulnerability Database (NVD) hosted by NIST: https://nvd.nist.gov. This might take some minutes for the first run, and if we plan to use it, we should definitely enable caching for our CI/CD pipeline (example for GitHub Actions here). In the past, we also observed some downtime of this hosted vulnerability database. In such cases, we configured the plugin to not fail the built.

Furthermore, there might be vulnerabilities that occur just for a specific dependency setup or operating system. To suppress such false positives, we can add a owasp-suppressions.xml file to our project and exclude these CVEs:

Including the plugin is as simple as the following:

With the failBuildOnCVSS configuration value, we specify the severity of a CVE to fail the build. The score ranges from 0 to 10.

Once we run mvn verify or mvn dependency-check:check our dependencies are analyzed.

SpotBugs Maven Plugin to ensure code quality

Having a static code analysis tool might help fixing potential bugs. Besides SonarQube there is a popular Maven plugin that does not need further setup: SpotBugs Maven plugin (formerly known as FindBugs).

We can include this Maven plugin with the following configuration:

Now we can run mvn spotbugs:check to analyze our source code. Furthermore, we can launch a simple UI to analyze potential code analysis warnings with mvn spotbugs:gui.

In our example, SpotBugs complains about the implementation of the BadPracticeFileReader class. It detects three potential bugs as we use the default encoding while creating the String out of the byte array and don't properly clean the opened resource.

Having a static analysis tool is a great way to detect low-hanging bugs early on. For a more sophisticated code analysis, take a look at SonarCloud. For immediate feedback, there's SonarLint, a free IntelliJ IDEA plugin.

The source code for this article is available on GitHub.

You can find further Maven-related blog posts:

Have fun using these Maven plugins to ensure the quality of your project,

Phil

  • Minor typo, when it explains how to test the OWASP Dependency-Check it reads ‘mvn depencency-check:check’ whereas it should be mvn dependency-check:check ( a ‘d’ instead of ‘c’).
    Thanks for the info, pretty useful.

  • {"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}
    >