We use the following Maven Plugin to monitor our libraries that have security problems.
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<configuration>
<suppressionFiles>
<suppressionFile>${project.basedir}/owasp-suppressions.xml</suppressionFile>
</suppressionFiles>
</configuration>
</plugin>
At present, we only want to monitor our java libraries. There is a different team that is responsible for problems in the JS, which they monitor using a different process. My difficulty is that my Java-Lib monitoring aborts with errors every time that a JS problem is detected.
Is it possible to exclude the JS libs from the check entirely?
Unfortunately that seems not to be possible. Best solution I found was to use scanSet property to hard define the directories which should be analysed, and then off-course only defining those paths who contain java code.
<configuration>
<scanSet>
<fileSet>
<directory>src</directory>
</fileSet>
</scanSet>
</configuration>
See https://jeremylong.github.io/DependencyCheck/dependency-check-maven/configuration.html for more info about 'scanSet' configuration.