Add dependency track to release steps

Signed-off-by: Gary O'Neall <[email protected]>
spdx · Dec 13, 2023 · 8f9677c · 8f9677c
1 parent fc8bb3b
commit 8f9677c
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/RELEASE-CHECKLIST.md b/RELEASE-CHECKLIST.md
@@ -1,6 +1,7 @@
 # Release Checklist for the SPDX Java Tools
 
 - [ ] Check for any warnings from the compiler and findbugs
+- [ ] Run dependency check to find any potential vulnerabilities `mvn dependency-check:check`
 - [ ] Test the release `mvn release:prepare -DdryRun`
 - [ ] Run `mvn release:prepare` - you will be prompted for the release - typically take the defaults
 - [ ] Run `mvn release:perform`

diff --git a/pom.xml b/pom.xml
@@ -49,6 +49,7 @@
 		<sonar.host.url>https://sonarcloud.io</sonar.host.url>
 		<sonar.organization>spdx</sonar.organization>
 		<sonar.projectKey>java-spdx-library</sonar.projectKey>
+		<dependency-check-maven.version>8.0.1</dependency-check-maven.version>
 	</properties>
 	<profiles>
 		<profile>
@@ -301,6 +302,11 @@
 	            <goals>deploy</goals>
 	          </configuration>
 	        </plugin>
+	        <plugin>
+	          <groupId>org.owasp</groupId>
+	          <artifactId>dependency-check-maven</artifactId>
+	          <version>${dependency-check-maven.version}</version>
+	        </plugin>
 		</plugins>
 	</build>
 	<reporting>