rieckpil

Top 3 Maven Plugins to ensure Quality and Security for your project

Detecting vulnerabilities inside your dependencies is crucial for creating secure applications. Besides that, static code analysis tools and pre-defined rules can help you to ensure quality. Fortunately, there are Maven Plugins available to automate this within your build. With this blog post, I'll show you my top three Maven plugins to ensure both quality and security.

Maven project to demonstrate these plugins

To see these three Maven plugins in action I've created a Spring Boot Maven project using Java 11 and the following dependencies:

Besides the standard Java class to start the Spring Boot application, I've added a second class to read a file and print the output on startup:

We'll use this class with its bad implementation to demonstrate the usage of one Maven plugin later on.

Maven Enforcer Plugin

The Maven Enforcer plugin enables us to check several pre-defined rules for our project. This can be as simple as checking the Java, Maven or OS version during build time (find a list of all rules here). Similarly, you can use this plugin to blacklist a set of dependencies that are banned from your project. A good use case for this might be after the transition from JUnit 4 to JUnit 5. Once all your tests are using JUnit 5 you can exclude the JUnit 4 dependencies and create a rule so that other teammates might not include it again by-accident.

Next, you can use the dependencyConvergence rule from the Maven Enforcer plugin to ensure there is only one version of a dependency available in your project. Once your project grows and includes more dependencies, there might be two dependencies pulling in a different version of Jackson for example. This can be an issue as the default classloader will just pick the first one on the classpath it can find.

To detect such scenarios, the dependencyConvergence rule will fail with proper console output. You can then fix this by either pinning the dependency version inside the dependencyManagement or exclude it from one dependency.

You can include this plugin to your project like the following:

Once you run mvn verify or mvn enforcer:enforce your configured rules checked.

OWASP Dependency-Check to ensure dependency quality

The more dependencies you add to your project, the more likely you have to handle Common Vulnerabilities and Exposures (CVE). Manually checking the CVE database for new issues is cumbersome. Fortunately, there is a free Maven plugin to do this during build time: OWASP Dependency-Check Maven plugin. This plugin analyzes all your dependencies and either fail the build (if configured) or produce log warnings once one of your dependency is part of a CVE.

Please note that the vulnerabilities are downloaded from the National Vulnerability Database (NVD) hosted by NIST: https://nvd.nist.gov. This might take some minutes for the first run and if you plan to use it, you should definitely enable caching for your CI/CD pipeline. In the past, we also observed some downtime of this hosted vulnerability database. In such cases, we configured the plugin to not fail the built.

Furthermore, there might be vulnerabilities that occur just for a specific dependency setup or operating system. To suppress such false-positives you can add a owasp-suppressions.xml file to your project and exclude these CVEs:

Including the plugin is as simple as the following:

With the failBuildOnCVSS configuration value, you specify the severity of a CVE to fail the build. The score ranges from 0 to 10.

Once you run mvn verify or mvn depencency-check:check your dependencies are analyzed.

SpotBugs Maven Plugin to ensure code quality

Having a static code analysis tool might help fixing potential bugs. Besides SonarQube there is a popular Maven plugin that does not need further setup: SpotBugs Maven plugin (formerly known as FindBugs).

From personal experience, I wouldn't fail the build due to static code analysis tools. Rather check possible warnings from time to time and fix the most obvious ones.

You can include this Maven plugin with the following configuration:

Now you can run mvn spotbugs:check to analyze your source code. Furthermore, you can launch a simple UI to analyze potential code analysis warnings with mvn spotbugs:gui.

In our example, SpotBugs complains about the implementation of the BadPracticeFileReader class. It detects three potential bugs as we use the default encoding while creating the String out of the byte array and don't properly clean the opened resource.

You can find the source code for this blog post on GitHub. Find further Maven related blog posts here.

Have fun using these Maven plugins to ensure the quality of your project,

Phil