AgentSkillsCN

maven-dependency-audit

审计 Maven 依赖项,排查过时版本、安全漏洞以及依赖冲突。适用于用户说“检查依赖”、“审计依赖”、“过时依赖”时使用,或在发布前使用。

SKILL.md
--- frontmatter
name: maven-dependency-audit
description: Audit Maven dependencies for outdated versions, security vulnerabilities, and conflicts. Use when user says "check dependencies", "audit dependencies", "outdated deps", or before releases.

Maven Dependency Audit Skill

Audit Maven dependencies for updates, vulnerabilities, and conflicts.

When to Use

  • User says "check dependencies" / "audit dependencies" / "outdated dependencies"
  • Before a release
  • Regular maintenance (monthly recommended)
  • After security advisory

Audit Workflow

  1. Check for updates - Find outdated dependencies
  2. Analyze tree - Find conflicts and duplicates
  3. Security scan - Check for vulnerabilities
  4. Report - Summary with prioritized actions

1. Check for Outdated Dependencies

Command

bash
mvn versions:display-dependency-updates

Output Analysis

code
[INFO] The following dependencies in Dependencies have newer versions:
[INFO]   org.slf4j:slf4j-api ......................... 1.7.36 -> 2.0.9
[INFO]   com.fasterxml.jackson.core:jackson-databind . 2.14.0 -> 2.16.1
[INFO]   org.junit.jupiter:junit-jupiter ............. 5.9.0 -> 5.10.1

Categorize Updates

CategoryCriteriaAction
SecurityCVE fix in newer versionUpdate ASAP
Majorx.0.0 changeReview changelog, test thoroughly
Minorx.y.0 changeUsually safe, test
Patchx.y.z changeSafe, minimal testing

Check Plugin Updates Too

bash
mvn versions:display-plugin-updates

2. Analyze Dependency Tree

Full Tree

bash
mvn dependency:tree

Filter for Specific Dependency

bash
mvn dependency:tree -Dincludes=org.slf4j

Find Conflicts

Look for:

code
[INFO] +- com.example:module-a:jar:1.0:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.36:compile
[INFO] +- com.example:module-b:jar:1.0:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:2.0.9:compile (omitted for conflict)

Flags:

  • (omitted for conflict) - Version conflict resolved by Maven
  • (omitted for duplicate) - Same version, no issue
  • Multiple versions of same library - Potential runtime issues

Analyze Unused Dependencies

bash
mvn dependency:analyze

Output:

code
[WARNING] Used undeclared dependencies found:
[WARNING]    org.slf4j:slf4j-api:jar:2.0.9:compile
[WARNING] Unused declared dependencies found:
[WARNING]    commons-io:commons-io:jar:2.11.0:compile

3. Security Vulnerability Scan

Option A: OWASP Dependency-Check (Recommended)

Add to pom.xml:

xml
<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <version>9.0.7</version>
</plugin>

Run:

bash
mvn dependency-check:check

Output: HTML report in target/dependency-check-report.html

Option B: Maven Dependency Plugin

bash
mvn dependency:analyze-report

Option C: GitHub Dependabot

If using GitHub, enable Dependabot alerts in repository settings.

Severity Levels

CVSS ScoreSeverityAction
9.0 - 10.0CriticalUpdate immediately
7.0 - 8.9HighUpdate within days
4.0 - 6.9MediumUpdate within weeks
0.1 - 3.9LowUpdate at convenience

4. Generate Audit Report

Output Format

markdown
## Dependency Audit Report

**Project:** {project-name}
**Date:** {date}
**Total Dependencies:** {count}

### Security Issues

| Dependency | Current | CVE | Severity | Fixed In |
|------------|---------|-----|----------|----------|
| log4j-core | 2.14.0 | CVE-2021-44228 | Critical | 2.17.1 |

### Outdated Dependencies

#### Major Updates (Review Required)
| Dependency | Current | Latest | Notes |
|------------|---------|--------|-------|
| slf4j-api | 1.7.36 | 2.0.9 | API changes, see migration guide |

#### Minor/Patch Updates (Safe)
| Dependency | Current | Latest |
|------------|---------|--------|
| junit-jupiter | 5.9.0 | 5.10.1 |
| jackson-databind | 2.14.0 | 2.16.1 |

### Conflicts Detected
- slf4j-api: 1.7.36 vs 2.0.9 (resolved to 2.0.9)

### Unused Dependencies
- commons-io:commons-io:2.11.0 (consider removing)

### Recommendations
1. **Immediate:** Update log4j-core to fix CVE-2021-44228
2. **This sprint:** Update minor/patch versions
3. **Plan:** Evaluate slf4j 2.x migration

Common Scenarios

Scenario: Check Before Release

bash
# Quick check
mvn versions:display-dependency-updates -q

# Full audit
mvn versions:display-dependency-updates && \
mvn dependency:analyze && \
mvn dependency-check:check

Scenario: Find Why Dependency is Included

bash
mvn dependency:tree -Dincludes=commons-logging

Scenario: Force Specific Version (Resolve Conflict)

xml
<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>org.slf4j</groupId>
            <artifactId>slf4j-api</artifactId>
            <version>2.0.9</version>
        </dependency>
    </dependencies>
</dependencyManagement>

Scenario: Exclude Transitive Dependency

xml
<dependency>
    <groupId>com.example</groupId>
    <artifactId>some-library</artifactId>
    <version>1.0</version>
    <exclusions>
        <exclusion>
            <groupId>commons-logging</groupId>
            <artifactId>commons-logging</artifactId>
        </exclusion>
    </exclusions>
</dependency>

Token Optimization

  • Use -q (quiet) flag for less verbose output
  • Filter with -Dincludes=groupId:artifactId when looking for specific deps
  • Run commands separately and summarize findings
  • Don't paste entire dependency tree - summarize conflicts

Quick Commands Reference

TaskCommand
Outdated depsmvn versions:display-dependency-updates
Outdated pluginsmvn versions:display-plugin-updates
Dependency treemvn dependency:tree
Find specific depmvn dependency:tree -Dincludes=groupId
Unused depsmvn dependency:analyze
Security scanmvn dependency-check:check
Update versionsmvn versions:use-latest-releases
Update snapshotsmvn versions:use-latest-snapshots

Update Strategies

Conservative (Recommended for Production)

  1. Update patch versions freely
  2. Update minor versions with basic testing
  3. Major versions require migration plan

Aggressive (For Active Development)

bash
# Update all to latest (use with caution!)
mvn versions:use-latest-releases
mvn versions:commit  # or versions:revert

Selective

bash
# Update specific dependency
mvn versions:use-latest-versions -Dincludes=org.junit.jupiter