Github checks for jar dependencies and vulnerabilities through maven pom.xml. Is it possible to check for dependencies if one is using jar files just placed in a lib folder without the pom.xml?
Can a similar check be done for the license of the jar file?
It isn't possible currently for GitHub to do this for you, no. You could perhaps write some automation using a GitHub App or GitHub Actions to do so, though.
I hope that helps!
Thanks, Lee, this is helpful. There is also one more issue, even if there are entries in pom.xml which are vulnerable, they are not shown as alerts. For e.g. activemq-all(v5.7.0) and commons-collections(v3.2.2) have known vulnerability issues, but it doesn't give alerts for these jars.
Do we need to make any other changes besides adding these entries in pom.xml?
Do you have an example repository that's public that we can see the problem you're describing? That would be helpful to possibly debug the problem.
The repository can be accessed from this link,
Following 2 errors show up, but there are more jars in the project which are vulnerable and we dont get any error in those.
Both commons-collections and activemq-all have known vulnerabilities, but do not show up in the alerts.
<dependency> <groupId>commons-collections</groupId> <artifactId>commons-collections</artifactId> <version>3.2.2</version> </dependency> <dependency> <groupId>org.apache.activemq</groupId> <artifactId>activemq-all</artifactId> <version>5.7.0</version> </dependency>
According to https://www.cvedetails.com/cve/CVE-2017-15708/, only commons-collections v3.2.1 has a confirmed vulnerability. You're using v3.2.2.
I'll pass along the feedback about the other library.