Maven Avoid Open Versions

ID

avoid_open_versions_maven

Severity

low

Family

Avoid open versions

Tags

reachable

Description

This detector finds open versions in the pom.xml files for the dependencies. The detector considers open versions as any range of version, you can see details here.

Furthermore, LATEST or RELEASE are considered open versions.

You can configure that this detector only apply to your pom.xml files, and filter the dependencies processed by scope.

Security

Fixing versions, the build will be reproducible/deterministic and future malware versions do not affect the projects.

Examples

<dependency>
  <groupId>com.group.dep</groupId>
  <artifactId>artifact-name</artifactId>
  <version>[1.0)</version>
</dependency>

Mitigation / Fix

You must fix the version that you will use, for example:

<dependency>
  <groupId>com.group.dep</groupId>
  <artifactId>artifact-name</artifactId>
  <version>1.2.0</version>
</dependency>