Adds Maven Dependency Check plugin with proper configuration
diff --git a/pom.xml b/pom.xml
index ba12efa..8f78d78 100644
--- a/pom.xml
+++ b/pom.xml
@@ -45,6 +45,28 @@
<jetty-plugin.version>9.4.22.v20191022</jetty-plugin.version>
</properties>
+ <profiles>
+ <profile>
+ <id>dependency-check</id>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <executions>
+ <execution>
+ <phase>verify</phase>
+ <goals>
+ <goal>check</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
+ </profiles>
+
<modules>
<module>action-chaining</module>
<module>annotations</module>
@@ -137,6 +159,24 @@
</plugin>
</plugins>
+ <pluginManagement>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>5.2.2</version>
+ <configuration>
+ <suppressionFiles>
+ <suppressionFile>src/etc/project-suppression.xml</suppressionFile>
+ </suppressionFiles>
+ <failBuildOnCVSS>7</failBuildOnCVSS>
+ <skipProvidedScope>true</skipProvidedScope>
+ <skipRuntimeScope>true</skipRuntimeScope>
+ </configuration>
+ </plugin>
+ </plugins>
+ </pluginManagement>
+
</build>
<repositories>
diff --git a/src/etc/project-suppression.xml b/src/etc/project-suppression.xml
new file mode 100644
index 0000000..30480cd
--- /dev/null
+++ b/src/etc/project-suppression.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+ <suppress>
+ <notes><![CDATA[
+ This suppresses false positives identified on Struts Annotations.
+ ]]></notes>
+ <gav regex="true">org\.apache\.struts:struts\-annotations\:1\.0\.6.*$</gav>
+ <cpe>cpe:/a:apache:struts:1.0.6</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
+ <gav regex="true">^org\.apache\.struts:struts\-core\:1\.3\.8.*$</gav>
+ <cpe>cpe:/a:apache:struts</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[file name: struts-tiles-1.3.8.jar]]></notes>
+ <gav regex="true">^org\.apache\.struts:struts\-tiles\:1\.3\.8.*$</gav>
+ <cpe>cpe:/a:apache:struts</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[file name: struts-taglib-1.3.8.jar]]></notes>
+ <gav regex="true">^org\.apache\.struts:struts\-taglib\:1\.3\.8.*$</gav>
+ <cpe>cpe:/a:apache:struts</cpe>
+ </suppress>
+</suppressions>
\ No newline at end of file