How to keep track of maven dependency updates in projects?

Question

How do you keep track of maven dependency versions?

Let's say you are using version 1.0.5 of an library.

<dependency>
    <groupId>groupIdName</groupId>
    <artifactId>artecfact-id</artifactId>
    <version>1.0.5</version>
</dependency>

But some people find a very bad security bug in version 1.0.5 and they release version 1.0.6 with a bugfix for this security vulnerability.

How do you manage in your project to know that there is a new important version, where it's very important to update?

I'm sure, no one is looking every week: Is there a new update to all the projects?
Even with watching the github projects, it will end up in a mess, because there are too many dependencies to watch in big projects.

We are using Gitlab and Jenkins in our environment, so if there are good plugins for that tools, or something else like Sonar can help here, let me know.

Looking forward for this discussion!
(I hope the softwareengineering on stackexchange is the right place for this discussion)

Please check [these](http://stackoverflow.com/questions/3516538/how-to-check-pom-xml-for-updated-dependencies) [two](http://stackoverflow.com/questions/2687220/maven-check-for-updated-dependencies-in-repository) stackoverflow answers.. — wonderbell, Oct 26 '16 at 11:27
can't mark my own question on duplicate, because it's on StackOverflow not here... But still in need for a tool for Jenkins / Gitlab (I saw VersionEyes from one of this answers.. will try that as stand alone) — Joergi, Oct 26 '16 at 13:07

score 2 · Accepted Answer · answered Oct 23 '17 at 12:15

2

Consider using dependency-check

https://www.owasp.org/index.php/OWASP_Dependency_Check

It has a Maven plugin and command line tool. You can use it to warn you if you use "dangerous" dependency versions in a build. The list is updated every day.

answered Oct 23 '17 at 12:15

J Fabian Meier

513
4
17

exactly what I needed. thanks for answering this old question! – Joergi Oct 23 '17 at 14:40

score 1 · Answer 2 · answered Oct 23 '17 at 20:23

I don't want to veer into product recommendations but there are vendor solutions that allow you to run these kinds of checks. One that I am slightly familiar with consists of a private proxy maven repository. You point your build server to it and have all the developers use it in lieu of maven central. When a pom references a risky dependency it will fail the build. It offers the ability for privileged users to manage rules and exceptions.

How to keep track of maven dependency updates in projects?

2 Answers2