I want to avoid running org.owasp dependency-check-maven when I run mvn clean install. On the other hand, I would like it to run on mvn clean site.
In my pom file, I have this code:
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>8.4.2</version>
<configuration>
<assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
<formats>
<format>html</format>
</formats>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
However, as of right now, a whole dependency check is run during mvn clean install:
[INFO] --- dependency-check:8.4.2:check (default) @ project ---
[INFO] Checking for updates
[INFO] Skipping NVD check since last check was within 4 hours.
[INFO] Skipping RetireJS update since last update was within 24 hours.
[INFO] Skipping Hosted Suppressions file update since last update was within 2 hours.
[INFO] Skipping Known Exploited Vulnerabilities update check since last check was within 24 hours.
[INFO] Check for updates complete (18 ms)
which is lengthy, and only needed when the whole site is needed.
How to run dependency check only for mvn site, and not mvn clean install?
The plugin should only be defined in the reporting section actually
Here is the official link to the doc https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html