Skip to main content

Common Misconfigurations

  1. Using outdated versions with known CVEs
  2. Not regularly updating dependencies
  3. Ignoring security warnings from dependency scanners
  4. Using dependencies without checking their security history
  5. Not implementing a dependency update policy

Vulnerable Example

<!-- pom.xml with vulnerable dependencies -->
<dependencies>
    <!-- Log4j vulnerability (CVE-2021-44228) -->
    <dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-core</artifactId>
        <version>2.14.1</version> <!-- Vulnerable version -->
    </dependency>
    
    <!-- Spring Framework vulnerability (CVE-2022-22965) -->
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-webmvc</artifactId>
        <version>5.3.17</version> <!-- Vulnerable version -->
    </dependency>
    
    <!-- Jackson Databind vulnerability -->
    <dependency>
        <groupId>com.fasterxml.jackson.core</groupId>
        <artifactId>jackson-databind</artifactId>
        <version>2.9.10</version> <!-- Multiple CVEs -->
    </dependency>
</dependencies>

Secure Solution

<!-- pom.xml with patched dependencies -->
<dependencies>
    <!-- Updated Log4j to secure version -->
    <dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-core</artifactId>
        <version>2.21.1</version> <!-- Secure version -->
    </dependency>
    
    <!-- Updated Spring Framework -->
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-webmvc</artifactId>
        <version>6.1.2</version> <!-- Secure version -->
    </dependency>
    
    <!-- Updated Jackson Databind -->
    <dependency>
        <groupId>com.fasterxml.jackson.core</groupId>
        <artifactId>jackson-databind</artifactId>
        <version>2.16.1</version> <!-- Secure version -->
    </dependency>
</dependencies>

<!-- Add dependency management for version control -->
<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-dependencies</artifactId>
            <version>3.2.1</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
    </dependencies>
</dependencyManagement>

Key Commands for Updating

These commands help you identify and manage your project’s dependencies. Many require the Versions Maven Plugin.

1. Check for Dependency Updates

This is the most useful command. It scans your pom.xml and compares your versions to the latest available ones in the remote repositories. 
mvn versions:display-dependency-updates

2. View the Dependency Tree

This command prints the complete tree of all dependencies, including transitive dependencies (dependencies of your dependencies). It’s essential for finding where a vulnerable package is being introduced. 
mvn dependency:tree
To find a specific package in the tree, you can filter it: 
# Example: Find where log4j-core is coming from
mvn dependency:tree -Dincludes=org.apache.logging.log4j:log4j-core

3. Automatically Update the POM

The Versions plugin can also modify your pom.xml file to use the latest versions. 
# Updates to the latest non-breaking release
mvn versions:use-latest-releases

# Updates to the absolute latest version (can include breaking changes)
mvn versions:use-latest-versions
Warning: Use these commands with caution. Automatically updating to new major versions can break your code. It’s often safer to run display-dependency-updates and update the versions manually.

4. Run an OWASP Security Scan

This command runs the OWASP Dependency Check plugin, which scans your dependencies and generates a report of all known CVEs. 
mvn org.owasp:dependency-check-maven:check
Note: You may need to configure this plugin in your pom.xml’s <build> section first for more advanced usage.

5. Analyze Dependencies

This command checks for dependencies that are declared in your pom.xml but not actually used, and vice-versa. This helps keep your pom.xml clean. 
mvn dependency:analyze

Best Practices

  • Use tools like OWASP Dependency Check or Snyk.
  • Configure automated dependency updates with Dependabot.
  • Regularly audit dependencies using mvn dependency:tree.
  • Implement security scanning in CI/CD pipeline.