This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Dependency Check

From OWASP
Revision as of 03:03, 19 June 2013 by Jeremy.long (talk | contribs)

Jump to: navigation, search

The purpose of dependency-check is to help notify developers and security professionals of the problem discussed by Jeff Williams and Arshan Dabirsiaghi in their talk at AppSec DC 2012 titled "The Unfortunate Reality of Insecure Libraries". The gist of their presentation is that we as a development community include third party libraries in our applications that contain well known published vulnerabilities (such as those at the National Vulnerability Database).

Currently, dependency-check is (java) command line tool that scans directories and files. If it contains an Analyzer that can scan a particular file type then information from the file is collected. This information is then used to identify the Common Platform Enumeration (CPE). If a CPE is identified a listing of associated Common Vulnerability and Exposure (CVE) entries are listed in a report.

Dependency-check automatically updates itself using the NVD Data Feeds hosted by NIST. IMPORTANT NOTE: The initial download of the data may take ten minutes or more, if you run the tool at least once every seven days only a small XML file needs to be downloaded to keep the local copy of the data current.

More information about dependency-check can be found on the github dependency-check site.