|
|
Line 6: |
Line 6: |
| | leader_name1 =Jeremy Long | | | leader_name1 =Jeremy Long |
| | | |
| + | | contributor_name1 =Steve Springett |
| + | |
| | mailing_list_name = https://groups.google.com/forum/?fromgroups#!forum/dependency-check | | | mailing_list_name = https://groups.google.com/forum/?fromgroups#!forum/dependency-check |
| | project_road_map = https://www.owasp.org/index.php/Projects/OWASP_Dependency_Check/Roadmap | | | project_road_map = https://www.owasp.org/index.php/Projects/OWASP_Dependency_Check/Roadmap |
− |
| |
| | links_url1 = https://github.com/jeremylong/DependencyCheck | | | links_url1 = https://github.com/jeremylong/DependencyCheck |
| | links_name1 = https://github.com/jeremylong/DependencyCheck | | | links_name1 = https://github.com/jeremylong/DependencyCheck |
| }} | | }} |
PROJECT INFO What does this OWASP project offer you?
|
RELEASE(S) INFO What releases are available for this project?
|
what
|
is this project?
|
Name: OWASP Dependency Check (home page)
|
Purpose: dependency-check is a utility that identifies project dependencies and checks if there are any known, publicaly disclosed, vulnerabilities. Currently only Java projects are supported; however, .NET, Node.JS, client side JavaScript libraries, etc. is planned. This tool can be part of the solution to the OWASP Top 10 2013 A9 - Using Components with Known Vulnerabilities
|
License: GNU GPL v3 License
|
who
|
is working on this project?
|
Project Leader(s):
|
Project Contributor(s):
|
how
|
can you learn more?
|
Project Pamphlet: Not Yet Created
|
Project Presentation:
|
Mailing list: Mailing List Archives
|
Project Roadmap: View
|
Main links:
|
Key Contacts
|
|
- Contact Jeremy Long @ to contribute to this project
- Contact Jeremy Long @ to review or sponsor this project
|
|
current release
|
|
=Main=
OWASP Dependency-Check
Dependency-Check is a software composition analysis utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. Currently, Java and .NET are supported; additional experimental support has been added for Ruby, Node.js, Python, and limited support for C/C++ build systems (autoconf and cmake). The tool can be part of a solution to the OWASP Top 10 2017 A9-Using Components with Known Vulnerabilities previously known as OWASP Top 10 2013 A9-Using Components with Known Vulnerabilities.
Introduction
The OWASP Top 10 2013 contains a new entry: A9-Using Components with Known Vulnerabilities. Dependency Check can currently be used to scan applications (and their dependent libraries) to identify any known vulnerable components.
The problem with using known vulnerable components was described very well in a paper by Jeff Williams and Arshan Dabirsiaghi titled, "Unfortunate Reality of Insecure Libraries". The gist of the paper is that we as a development community include third party libraries in our applications that contain well known published vulnerabilities (such as those at the National Vulnerability Database).
Dependency-check has a command line interface, a Maven plugin, an Ant task, and a Jenkins plugin. The core engine contains a series of analyzers that inspect the project dependencies, collect pieces of information about the dependencies (referred to as evidence within the tool). The evidence is then used to identify the Common Platform Enumeration (CPE) for the given dependency. If a CPE is identified, a listing of associated Common Vulnerability and Exposure (CVE) entries are listed in a report.
Dependency-check automatically updates itself using the NVD Data Feeds hosted by NIST. IMPORTANT NOTE: The initial download of the data may take ten minutes or more. If you run the tool at least once every seven days, only a small JSON file needs to be downloaded to keep the local copy of the data current.
|
Quick Download
Version 5.3.0
Other Plugins
Integrations
Links
Documentation
Mailing List
Presentation
Classifications
|
|
|
last reviewed release
|
Not Yet Reviewed
|
|
|