I want to avoid running org.owasp dependency-check-maven when I run mvn clean install
. On the other hand, I would like it to run on mvn clean site
.
In my pom file, I have this code:
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>8.4.2</version>
<configuration>
<assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
<formats>
<format>html</format>
</formats>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
However, as of right now, a whole dependency check is run during mvn clean install
:
[INFO] --- dependency-check:8.4.2:check (default) @ project ---
[INFO] Checking for updates
[INFO] Skipping NVD check since last check was within 4 hours.
[INFO] Skipping RetireJS update since last update was within 24 hours.
[INFO] Skipping Hosted Suppressions file update since last update was within 2 hours.
[INFO] Skipping Known Exploited Vulnerabilities update check since last check was within 24 hours.
[INFO] Check for updates complete (18 ms)
which is lengthy, and only needed when the whole site is needed.
How to run dependency check only for mvn site
, and not mvn clean install
?
The plugin should only be defined in the reporting section actually
Here is the official link to the doc https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html