How to keep track of maven dependency updates in projects?

softwareengineering.stackexchange https://softwareengineering.stackexchange.com/questions/334650

Question

How do you keep track of maven dependency versions?

Let's say you are using version 1.0.5 of an library.

<dependency>
    <groupId>groupIdName</groupId>
    <artifactId>artecfact-id</artifactId>
    <version>1.0.5</version>
</dependency>

But some people find a very bad security bug in version 1.0.5 and they release version 1.0.6 with a bugfix for this security vulnerability.

How do you manage in your project to know that there is a new important version, where it's very important to update?

I'm sure, no one is looking every week: Is there a new update to all the projects?
Even with watching the github projects, it will end up in a mess, because there are too many dependencies to watch in big projects.

We are using Gitlab and Jenkins in our environment, so if there are good plugins for that tools, or something else like Sonar can help here, let me know.

Looking forward for this discussion!
(I hope the softwareengineering on stackexchange is the right place for this discussion)

Was it helpful?

Solution

Consider using dependency-check

https://www.owasp.org/index.php/OWASP_Dependency_Check

It has a Maven plugin and command line tool. You can use it to warn you if you use "dangerous" dependency versions in a build. The list is updated every day.

OTHER TIPS

I don't want to veer into product recommendations but there are vendor solutions that allow you to run these kinds of checks. One that I am slightly familiar with consists of a private proxy maven repository. You point your build server to it and have all the developers use it in lieu of maven central. When a pom references a risky dependency it will fail the build. It offers the ability for privileged users to manage rules and exceptions.

Licensed under: CC-BY-SA with attribution
scroll top