Dependency Check

Runs OWASP Dependency Check against your project’s dependencies to identify known vulnerabilities (CVEs).

For Java, Kotlin and Scala, extend the mill.contrib.owaspdependencycheck.OwaspDependencyCheckJavaModule. It will scan the runtime class path for vulnerabilities. Alternatively, use mill.contrib.owaspdependencycheck.OwaspDependencyCheckModule and provide a list of files (jars, package-locks, Javascript files) to be scanned yourself with owaspDependencyCheckFiles.

Quickstart:

build.mill

//| mvnDeps: ["com.lihaoyi::mill-contrib-owaspdependencycheck:$MILL_VERSION"]
package build

import mill.*
import mill.javalib.*
import mill.contrib.owaspdependencycheck.{OwaspDependencyCheckJavaModule,OwaspDependencyCheckModule}

object backend extends JavaModule with OwaspDependencyCheckJavaModule {
  def mvnDeps = Seq(mvn"ch.qos.logback:logback-classic:1.5.12")
}
object frontend extends OwaspDependencyCheckModule {
  def packageJson: T[PathRef] = Task.Source(moduleDir / "package.json")
  def packageLock: T[PathRef] = Task.Source(moduleDir / "package-lock.json")
  def owaspDependencyCheckFiles: T[Seq[PathRef]] = Task { Seq(packageJson(), packageLock()) }
}

Then run the vulnerability scan with:

> mill backend.owaspDependencyCheck
> mill frontend.owaspDependencyCheck

Reports are written to the owaspDependencyCheck task directory, eg out/backend/owaspDependencyCheck.dest/.

Configuration options

The configuration is done via the dependency check arguments, see Dependency Check CLI.

These arguments are passed unchanged to the Dependency Check CLI. By default, the nvdDatafeed is set to https://dependency-check.github.io/DependencyCheck_Builder/nvd_cache/.

It is highly recommended to also configure the OSS Index username and password, to get decent scan results.

override def owaspDependencyCheckConfigArgs: T[Seq[String]] = Task {
  super.owaspDependencyCheckConfigArgs() ++
    Seq("--ossIndexUsername","<user-name>",
        "--ossIndexPassword","<password>")
}

Failing The Scan

To fail a scan on certain vulnerability classes, use the --failOnCVSS flag.

override def owaspDependencyCheckConfigArgs: T[Seq[String]] = Task {
  super.owaspDependencyCheckConfigArgs() ++
    Seq("--ossIndexUsername","<user-name>",
        "--ossIndexPassword","<password>",
        "--failOnCVSS", "4")
}

This will make the owaspDependencyCheck fail if any vulnerability with a CVSS score higher than 4 is found.

If you do not want to fail the task, for example to use the result in a downstream task, then set owaspDependencyCheckFailTask = false.