Difference between revisions of "OWASP Dependency Check"

From OWASP
Jump to: navigation, search
m (Changed classification)
(44 intermediate revisions by 5 users not shown)
Line 2: Line 2:
 
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>
 
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
+
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
 
==OWASP Dependency-Check==
 
==OWASP Dependency-Check==
  
Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities.  Currently Java, .NET, Ruby, Node.js, and Python projects are supported; additionally, limited support for C/C++ projects is available for projects using CMake or autoconf. This tool can be part of a solution to the OWASP Top 10 2013 [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities A9 - Using Components with Known Vulnerabilities].
+
Dependency-Check is a software composition analysis utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities.  Currently, Java and .NET are supported; additional experimental support has been added for Ruby, Node.js, Python, and limited support for C/C++ build systems (autoconf and cmake). The tool can be part of a solution to the [[Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities | OWASP Top 10 2017 A9-Using Components with Known Vulnerabilities]] previously known as [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | OWASP Top 10 2013 A9-Using Components with Known Vulnerabilities]].
  
 
==Introduction==
 
==Introduction==
  
The OWASP Top 10 2013 contains a new entry: [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities A9 - Using Components with Known Vulnerabilities]. Dependency-check can currently be used to scan applications (and their dependent libraries) to identify any known vulnerable components.
+
The OWASP Top 10 2013 contains a new entry: [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9-Using Components with Known Vulnerabilities]]. Dependency Check can currently be used to scan applications (and their dependent libraries) to identify any known vulnerable components.
  
The problem with using known vulnerable components was described very well in a paper by Jeff Williams and Arshan Dabirsiaghi titled, "[http://www1.contrastsecurity.com/the-unfortunate-reality-of-insecure-libraries?&__hssc=92971330.1.1412763139545&__hstc=92971330.5d71a97ce2c038f53e4109bfd029b71e.1412763139545.1412763139545.1412763139545.1&hsCtaTracking=7bbb964b-eac1-454d-9d5b-cc1089659590%7C816e01cf-4d75-449a-8691-bd0c6f9946a5 The Unfortunate Reality of Insecure Libraries]" (registration required). The gist of the paper is that we as a development community include third party libraries in our applications that contain well known published vulnerabilities (such as those at the [http://web.nvd.nist.gov/view/vuln/search National Vulnerability Database]).
+
The problem with using known vulnerable components was described very well in a paper by Jeff Williams and Arshan Dabirsiaghi titled, "[https://cdn2.hubspot.net/hub/203759/file-1100864196-pdf/docs/Contrast_-_Insecure_Libraries_2014.pdf Unfortunate Reality of Insecure Libraries]". The gist of the paper is that we as a development community include third party libraries in our applications that contain well known published vulnerabilities (such as those at the [https://nvd.nist.gov/vuln/search National Vulnerability Database]).
  
Dependency-check has a command line interface, a Maven plugin, an Ant task, and a Jenkins plugin. The core engine contains a series of analyzers that inspect the project dependencies, collect pieces of information about the dependencies (referred to as evidence within the tool). The evidence is then used to identify the [http://nvd.nist.gov/cpe.cfm Common Platform Enumeration (CPE)] for the given dependency. If a CPE is identified, a listing of associated [http://cve.mitre.org/ Common Vulnerability and Exposure (CVE)] entries are listed in a report.
+
Dependency-check has a command line interface, a Maven plugin, an Ant task, and a Jenkins plugin. The core engine contains a series of analyzers that inspect the project dependencies, collect pieces of information about the dependencies (referred to as evidence within the tool). The evidence is then used to identify the [https://nvd.nist.gov/products/cpe Common Platform Enumeration (CPE)] for the given dependency. If a CPE is identified, a listing of associated [https://cve.mitre.org/ Common Vulnerability and Exposure (CVE)] entries are listed in a report.
  
Dependency-check automatically updates itself using the [http://nvd.nist.gov/download.cfm NVD Data Feeds] hosted by NIST. '''IMPORTANT NOTE:''' The initial download of the data may take ten minutes or more, if you run the tool at least once every seven days only a small XML file needs to be downloaded to keep the local copy of the data current.
+
Dependency-check automatically updates itself using the [https://nvd.nist.gov/vuln/data-feeds NVD Data Feeds] hosted by NIST. '''IMPORTANT NOTE:''' The initial download of the data may take ten minutes or more. If you run the tool at least once every seven days, only a small XML file needs to be downloaded to keep the local copy of the data current.
  
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
+
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
  
 
== Quick Download ==
 
== Quick Download ==
  
Version 1.3.5
+
Version 5.2.1
* [http://dl.bintray.com/jeremy-long/owasp/dependency-check-1.3.5-release.zip Command Line]
+
* [https://dl.bintray.com/jeremy-long/owasp/dependency-check-5.2.1-release.zip Command Line]
* [http://dl.bintray.com/jeremy-long/owasp/dependency-check-ant-1.3.5-release.zip Ant Task]
+
* [https://dl.bintray.com/jeremy-long/owasp/dependency-check-ant-5.2.1-release.zip Ant Task]
* [http://search.maven.org/#artifactdetails%7Corg.owasp%7Cdependency-check-maven%7C1.3.5%7Cmaven-plugin Maven Plugin]
+
* [https://search.maven.org/#artifactdetails%7Corg.owasp%7Cdependency-check-maven%7C5.2.1%7Cmaven-plugin Maven Plugin]
* [https://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin Jenkins Plugin]
+
* [https://search.maven.org/#artifactdetails%7Corg.owasp%7Cdependency-check-gradle%7C5.2.1%7Cgradle-plugin Gradle Plugin]
* [http://brew.sh/ Mac Homebrew]:<br><code>brew update && brew install dependency-check</code>
+
* [https://brew.sh/ Mac Homebrew]:<br><code>brew update && brew install dependency-check</code>
 +
 
 +
Other Plugins
 +
* [https://plugins.jenkins.io/dependency-check-jenkins-plugin Jenkins Plugin]
 +
* [https://search.maven.org/#search%7Cga%7C1%7Cg%3A%22net.vonbuchholtz%22%20a%3A%22sbt-dependency-check%22 sbt Plugin]
 +
* [https://github.com/livingsocial/lein-dependency-check lein-dependency-check]
  
 
== Integrations ==
 
== Integrations ==
* [https://github.com/stevespringett/dependency-check-sonar-plugin SonarQube Plugin]
+
* [https://github.com/SonarSecurityCommunity/dependency-check-sonar-plugin SonarQube Plugin]
 +
* [https://github.com/entur/owasp-orb Circle CI Orb]
  
 
== Links ==
 
== Links ==
  
* [https://github.com/jeremylong/DependencyCheck Github]
+
* [https://github.com/jeremylong/DependencyCheck github]
 +
* [https://github.com/jeremylong/dependency-check-gradle gradle source]
 +
* [https://github.com/albuch/sbt-dependency-check sbt source]
 +
* [https://github.com/jenkinsci/dependency-check-plugin jenkins source]
 
* [https://www.ohloh.net/p/dependencycheck Ohloh]
 
* [https://www.ohloh.net/p/dependencycheck Ohloh]
 
* [https://bintray.com/jeremy-long/owasp Bintray]
 
* [https://bintray.com/jeremy-long/owasp Bintray]
Line 39: Line 48:
 
== Documentation ==
 
== Documentation ==
  
* [http://jeremylong.github.io/DependencyCheck/ Documentation (on GitHub)]
+
* [https://jeremylong.github.io/DependencyCheck/ Documentation (on GitHub)]
  
 
== Mailing List ==
 
== Mailing List ==
Line 49: Line 58:
 
== Presentation ==
 
== Presentation ==
  
* [http://jeremylong.github.io/DependencyCheck/general/dependency-check.pdf dependency-check (PDF)]
+
* [https://jeremylong.github.io/DependencyCheck/general/dependency-check.pdf dependency-check (PDF)]
* [http://jeremylong.github.io/DependencyCheck/general/dependency-check.pptx dependency-check  (PPTX)]
+
* [https://jeremylong.github.io/DependencyCheck/general/dependency-check.pptx dependency-check  (PPTX)]
  
 
==Classifications==
 
==Classifications==
Line 56: Line 65:
 
   {| width="200" cellpadding="2"
 
   {| width="200" cellpadding="2"
 
   |-
 
   |-
   | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
+
   | rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
   | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]   
+
   | align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]   
 
   |-
 
   |-
   | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
+
   | align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
 
   |-
 
   |-
   | colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
+
   | colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=https://creativecommons.org/licenses/by-sa/3.0/]]
 
   |-
 
   |-
   | colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
+
   | colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
 
   |}
 
   |}
  
Line 79: Line 88:
 
As of March 2015, the top priorities are:
 
As of March 2015, the top priorities are:
 
* Resolving all open [https://github.com/jeremylong/DependencyCheck/issues?state=open github issues/feature requests]
 
* Resolving all open [https://github.com/jeremylong/DependencyCheck/issues?state=open github issues/feature requests]
* Improving analysis for .NET Dlls
 
  
Involvement in the development and promotion of dependency-check is actively encouraged!
+
Involvement in the development and promotion of dependency-check is actively encouraged! You do not have to be a security expert in order to contribute. How you can help:
You do not have to be a security expert in order to contribute. How you can help:
 
 
* Use the tool
 
* Use the tool
 
* Provide feedback via the [https://groups.google.com/forum/?fromgroups#!forum/dependency-check mailing list] or by creating [https://github.com/jeremylong/DependencyCheck/issues?state=open github issues] (both bugs and feature requests are encouraged)
 
* Provide feedback via the [https://groups.google.com/forum/?fromgroups#!forum/dependency-check mailing list] or by creating [https://github.com/jeremylong/DependencyCheck/issues?state=open github issues] (both bugs and feature requests are encouraged)
* The project source code is hosted on [https://github.com/jeremylong/DependencyCheck/ github] - if you are so inclined fork it and provide push requests!
+
* The project source code is hosted on [https://github.com/jeremylong/DependencyCheck/ github] - if you are so inclined fork it and provide pull requests!
  
  
__NOTOC__ <headertabs />  
+
__NOTOC__ <headertabs></headertabs>  
  
[[Category:OWASP Project]]  [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]]  [[Category:OWASP_Document]]
+
[[Category:OWASP Project]]   
 +
[[Category:OWASP_Builders]]  
 +
[[Category:OWASP_Defenders]]   
 +
[[Category:OWASP_Document]]

Revision as of 06:06, 4 August 2019

Flagship big.jpg

OWASP Dependency-Check

Dependency-Check is a software composition analysis utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. Currently, Java and .NET are supported; additional experimental support has been added for Ruby, Node.js, Python, and limited support for C/C++ build systems (autoconf and cmake). The tool can be part of a solution to the OWASP Top 10 2017 A9-Using Components with Known Vulnerabilities previously known as OWASP Top 10 2013 A9-Using Components with Known Vulnerabilities.

Introduction

The OWASP Top 10 2013 contains a new entry: A9-Using Components with Known Vulnerabilities. Dependency Check can currently be used to scan applications (and their dependent libraries) to identify any known vulnerable components.

The problem with using known vulnerable components was described very well in a paper by Jeff Williams and Arshan Dabirsiaghi titled, "Unfortunate Reality of Insecure Libraries". The gist of the paper is that we as a development community include third party libraries in our applications that contain well known published vulnerabilities (such as those at the National Vulnerability Database).

Dependency-check has a command line interface, a Maven plugin, an Ant task, and a Jenkins plugin. The core engine contains a series of analyzers that inspect the project dependencies, collect pieces of information about the dependencies (referred to as evidence within the tool). The evidence is then used to identify the Common Platform Enumeration (CPE) for the given dependency. If a CPE is identified, a listing of associated Common Vulnerability and Exposure (CVE) entries are listed in a report.

Dependency-check automatically updates itself using the NVD Data Feeds hosted by NIST. IMPORTANT NOTE: The initial download of the data may take ten minutes or more. If you run the tool at least once every seven days, only a small XML file needs to be downloaded to keep the local copy of the data current.

Quick Download

Version 5.2.1

Other Plugins

Integrations

Links

Documentation

Mailing List

Presentation

Classifications

Owasp-flagship-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files CODE.jpg

Volunteers

Dependency-Check is developed by a team of volunteers. The primary contributors to date have been:

As of March 2015, the top priorities are:

Involvement in the development and promotion of dependency-check is actively encouraged! You do not have to be a security expert in order to contribute. How you can help:

  • Use the tool
  • Provide feedback via the mailing list or by creating github issues (both bugs and feature requests are encouraged)
  • The project source code is hosted on github - if you are so inclined fork it and provide pull requests!