Find and Fix Vulnerable Dependencies
To detect and upgrade dependencies with publicly disclosed vulnerabilities, you can use the OpenRewrite recipe org.openrewrite.java.dependencies.DependencyVulnerabilityCheck from rewrite-java-security.
This Software Composition Analysis (SCA) recipe scans your project for dependencies with known vulnerabilities using data from the GitHub Security Advisory Database and the National Vulnerability Database. It generates a vulnerability report and automatically upgrades vulnerable dependencies to patched versions.
You can run the recipe using one of the following methods.
- Moderne CLI
The Moderne CLI allows you to run OpenRewrite recipes on your project without needing to modify your build files, against serialized Lossless Semantic Tree (LST) of your project for a considerable performance boost & across projects.
You will need to have configured the Moderne CLI on your machine before you can run the following command.
- If project serialized Lossless Semantic Tree is not yet available locally, then build the LST. This is only needed the first time, or after extensive changes:
mod build ~/workspace/
- If the recipe is not available locally yet, then you can install it once using:
mod config recipes jar install org.openrewrite.recipe:rewrite-java-security:LATEST
- Run the recipe.
mod run ~/workspace/ --recipe org.openrewrite.java.dependencies.DependencyVulnerabilityCheck -P "scope=runtime" -P "overrideTransitive=True" -P "maximumUpgradeDelta=minor"
Recipe options
This recipe supports several options to customize its behavior:
| Option | Description | Default |
|---|---|---|
scope | Filter dependencies by scope (compile, test, runtime, provided) | runtime |
overrideTransitive | When enabled, transitive dependencies with vulnerabilities will have their versions overridden | false |
maximumUpgradeDelta | Maximum allowable upgrade level (patch, minor, major) | patch |
minimumSeverity | Vulnerability severity threshold (low, moderate, high, critical) | low |
cvePattern | Regex pattern to filter specific CVEs | — |
Next steps
Review the generated vulnerability report in the build output to understand which dependencies were flagged and upgraded. Consider adjusting the maximumUpgradeDelta option if patch-level upgrades are insufficient to address certain vulnerabilities.