How to keep track of maven dependency updates in projects?
-
31-12-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian题
How do you keep track of maven dependency versions?
Let's say you are using version 1.0.5 of an library.
<dependency>
<groupId>groupIdName</groupId>
<artifactId>artecfact-id</artifactId>
<version>1.0.5</version>
</dependency>
But some people find a very bad security bug in version 1.0.5 and they release version 1.0.6 with a bugfix for this security vulnerability.
How do you manage in your project to know that there is a new important version, where it's very important to update?
I'm sure, no one is looking every week: Is there a new update to all the projects?
Even with watching the github projects, it will end up in a mess, because there are too many dependencies to watch in big projects.
We are using Gitlab and Jenkins in our environment, so if there are good plugins for that tools, or something else like Sonar can help here, let me know.
Looking forward for this discussion!
(I hope the softwareengineering on stackexchange is the right place for this discussion)
解决方案
Consider using dependency-check
https://www.owasp.org/index.php/OWASP_Dependency_Check
It has a Maven plugin and command line tool. You can use it to warn you if you use "dangerous" dependency versions in a build. The list is updated every day.
其他提示
I don't want to veer into product recommendations but there are vendor solutions that allow you to run these kinds of checks. One that I am slightly familiar with consists of a private proxy maven repository. You point your build server to it and have all the developers use it in lieu of maven central. When a pom references a risky dependency it will fail the build. It offers the ability for privileged users to manage rules and exceptions.
