This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Dependency Check"
From OWASP
m (→Quick Download) |
m |
||
Line 9: | Line 9: | ||
==Introduction== | ==Introduction== | ||
− | The OWASP Top 10 2013 contains a new entry: [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9-Using Components with Known Vulnerabilities]]. Dependency | + | The OWASP Top 10 2013 contains a new entry: [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9-Using Components with Known Vulnerabilities]]. Dependency Check can currently be used to scan applications (and their dependent libraries) to identify any known vulnerable components. |
The problem with using known vulnerable components was described very well in a paper by Jeff Williams and Arshan Dabirsiaghi titled, "[https://cdn2.hubspot.net/hub/203759/file-1100864196-pdf/docs/Contrast_-_Insecure_Libraries_2014.pdf Unfortunate Reality of Insecure Libraries]". The gist of the paper is that we as a development community include third party libraries in our applications that contain well known published vulnerabilities (such as those at the [https://nvd.nist.gov/vuln/search National Vulnerability Database]). | The problem with using known vulnerable components was described very well in a paper by Jeff Williams and Arshan Dabirsiaghi titled, "[https://cdn2.hubspot.net/hub/203759/file-1100864196-pdf/docs/Contrast_-_Insecure_Libraries_2014.pdf Unfortunate Reality of Insecure Libraries]". The gist of the paper is that we as a development community include third party libraries in our applications that contain well known published vulnerabilities (such as those at the [https://nvd.nist.gov/vuln/search National Vulnerability Database]). | ||
− | Dependency-check has a command line interface, a Maven plugin, an Ant task, and a Jenkins plugin. The core engine contains a series of analyzers that inspect the project dependencies, collect pieces of information about the dependencies (referred to as evidence within the tool). The evidence is then used to identify the [https://nvd.nist.gov/products/cpe Common Platform Enumeration (CPE)] for the given dependency. If a CPE is identified, a listing of associated [ | + | Dependency-check has a command line interface, a Maven plugin, an Ant task, and a Jenkins plugin. The core engine contains a series of analyzers that inspect the project dependencies, collect pieces of information about the dependencies (referred to as evidence within the tool). The evidence is then used to identify the [https://nvd.nist.gov/products/cpe Common Platform Enumeration (CPE)] for the given dependency. If a CPE is identified, a listing of associated [https://cve.mitre.org/ Common Vulnerability and Exposure (CVE)] entries are listed in a report. |
− | Dependency-check automatically updates itself using the [https://nvd.nist.gov/vuln/data-feeds NVD Data Feeds] hosted by NIST. '''IMPORTANT NOTE:''' The initial download of the data may take ten minutes or more | + | Dependency-check automatically updates itself using the [https://nvd.nist.gov/vuln/data-feeds NVD Data Feeds] hosted by NIST. '''IMPORTANT NOTE:''' The initial download of the data may take ten minutes or more. If you run the tool at least once every seven days, only a small XML file needs to be downloaded to keep the local copy of the data current. |
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" | | | valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" | | ||
Line 69: | Line 69: | ||
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]] | | align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]] | ||
|- | |- | ||
− | | colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link= | + | | colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=https://creativecommons.org/licenses/by-sa/3.0/]] |
|- | |- | ||
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]] | | colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]] | ||
Line 87: | Line 87: | ||
As of March 2015, the top priorities are: | As of March 2015, the top priorities are: | ||
* Resolving all open [https://github.com/jeremylong/DependencyCheck/issues?state=open github issues/feature requests] | * Resolving all open [https://github.com/jeremylong/DependencyCheck/issues?state=open github issues/feature requests] | ||
− | * Improving analysis for .NET | + | * Improving analysis for .NET DLLs |
− | Involvement in the development and promotion of dependency-check is actively encouraged! | + | Involvement in the development and promotion of dependency-check is actively encouraged! You do not have to be a security expert in order to contribute. How you can help: |
− | You do not have to be a security expert in order to contribute. How you can help: | ||
* Use the tool | * Use the tool | ||
* Provide feedback via the [https://groups.google.com/forum/?fromgroups#!forum/dependency-check mailing list] or by creating [https://github.com/jeremylong/DependencyCheck/issues?state=open github issues] (both bugs and feature requests are encouraged) | * Provide feedback via the [https://groups.google.com/forum/?fromgroups#!forum/dependency-check mailing list] or by creating [https://github.com/jeremylong/DependencyCheck/issues?state=open github issues] (both bugs and feature requests are encouraged) |