The English version of quarkus.io is the official project site. Translated sites are community supported on a best-effort basis.
Edit this Page

Security vulnerability detection and reporting in Quarkus

Most of the Quarkus tags are registered in the US National Vulnerability Database (NVD) in Common Platform Enumeration (CPE) name format.

US National Vulnerability Database

To view the registered Quarkus CPE names in the US NVD, use the following search URL:

If the NVD database flags a CVE against a Quarkus tag, a link that provides more details about the CVE is added to the given CPE name entry.

The NVD CPE team updates the list regularly, but if you encounter a false positive, report the details by creating an issue in the quarkusio repository.

Detect vulnerabilities in Quarkus at build time

You can detect the vulnerabilities at the application build time with an NVD feed by using the Maven OWASP Dependency-check-maven plugin.

To add the Open Worldwide Application Security Project (OWASP) Dependency-check-maven plugin to your Quarkus Maven project, add the following XML configuration to the pom.xml file:

<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <version>${owasp-dependency-check-plugin.version}</version>
</plugin>

Set the owasp-dependency-check-plugin.version value to 8.3.1 or later.

Next, configure the plugin as follows:

<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <version>${owasp-dependency-check-plugin.version}</version>
    <executions>
        <execution>
            <goals>
                <goal>check</goal>
            </goals>
        </execution>
    </executions>
    <configuration>
        <!-- Fail only when detecting High Vulnerability issues -->
        <failBuildOnCVSS>7</failBuildOnCVSS>
        <suppressionFiles>
            <suppressionFile>${project.basedir}/dependency-cpe-suppression.xml</suppressionFile>
        </suppressionFiles>
    </configuration>
</plugin>

To detect less severe issues, adjust the value of failBuildOnCVSS to suppress the false positives, as demonstrated in the following code sample:

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
    <!--
        This is a CPE suppression file for the maven dependency check plugin.
        Each CPE that is found by error (false positive) needs to be suppressed for a specific jar using its' GAV.
        See https://jeremylong.github.io/DependencyCheck/general/suppression.html
     -->
    <suppress>
        <notes>
            <![CDATA[
                Suppress the false positive CPE for netty-tcnative-classes to netty
            ]]>
        </notes>
        <gav regex="true">^io\.netty:netty-tcnative-classes.*:.*$</gav>
        <cpe>cpe:/a:netty:netty</cpe>
    </suppress>
    <suppress>
        <notes>
            <![CDATA[
                Suppress the false positive CPE for Quarkus Mutiny to mutiny:mutiny
            ]]>
        </notes>
        <gav regex="true">^io\.quarkus:quarkus-mutiny.*:.*$</gav>
        <cpe>cpe:/a:mutiny:mutiny</cpe>
    </suppress>
    <suppress>
        <notes>
            <![CDATA[
                Suppress the false positive CPE for SmallRye Mutiny to mutiny:mutiny
            ]]>
        </notes>
        <gav regex="true">^io\.smallrye\.reactive:mutiny.*:.*$</gav>
        <cpe>cpe:/a:mutiny:mutiny</cpe>
    </suppress>
    <suppress>
        <notes>
            <![CDATA[
                Suppress the false positive CPE for SmallRye Mutiny to mutiny:mutiny
            ]]>
        </notes>
        <gav regex="true">^io\.smallrye\.reactive:smallrye-mutiny.*:.*$</gav>
        <cpe>cpe:/a:mutiny:mutiny</cpe>
    </suppress>
    <suppress>
        <notes>
            <![CDATA[
                Suppress the false positive CPE for SmallRye Mutiny to mutiny:mutiny
            ]]>
        </notes>
        <gav regex="true">^io\.smallrye\.reactive:vertx-mutiny.*:.*$</gav>
        <cpe>cpe:/a:mutiny:mutiny</cpe>
    </suppress>
    <suppress>
        <notes>
            <![CDATA[
                Suppress the false positive CPE for graal-sdk to GraalVM (the JVM distribution)
            ]]>
        </notes>
        <gav regex="true">^org\.graalvm\.sdk:graal-sdk.*:.*$</gav>
    </suppress>
</suppressions>

Ensure that you review and update the suppression list regularly to ensure that the results are up to date. You can optionally apply a time limit to individual suppressions by adding an expiry attribute, as outlined in the following example:

<suppress until="2022-01-01Z">…​</suppress>

You can adjust the expiry date if you need to.

Related content