Audit - Rules - Maven

This group contains audit rules that look for potential problems in Maven POM files.



Dynamic Dependency in Maven

Using a dynamic dependency version is a security risk.

This audit rule violates the usage of dynamic dependency version in Maven configuration files.

Security Implications
A dynamic dependency version adds to the number of undefined variables at the time of build that can be used by an attacker. More than that, you cannot validate the quality and security issues of the code used in the build. This is an additional security risk that should be taken into consideration.

The following part of an Maven POM would be flagged as a violation because it declares a dependency with dynamically defined revision:


External Dependency in Maven