Difference between revisions of "OWASP Dependency Check"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 +
=Main=
 +
 +
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
 +
 +
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 +
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 +
 +
==OWASP XXX==
 +
 +
OWASP XXX is...
 +
 +
==Introduction==
 +
 
The OWASP Top 10 2013 contains a new entry: [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities A9 - Using Components with Known Vulnerabilities]. Dependency-check can currently be used to scan Java applications (and their dependent libraries) to identify any known vulnerable components.
 
The OWASP Top 10 2013 contains a new entry: [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities A9 - Using Components with Known Vulnerabilities]. Dependency-check can currently be used to scan Java applications (and their dependent libraries) to identify any known vulnerable components.
  
Line 8: Line 21:
  
 
More information about dependency-check can be found on the [http://jeremylong.github.io/DependencyCheck/ dependency-check github pages]. Additionally, the source could can be found on [https://github.com/jeremylong/DependencyCheck github].
 
More information about dependency-check can be found on the [http://jeremylong.github.io/DependencyCheck/ dependency-check github pages]. Additionally, the source could can be found on [https://github.com/jeremylong/DependencyCheck github].
 +
 +
 +
==Description==
 +
 +
Write a description that is just a few paragraphs long
 +
 +
 +
==Licensing==
 +
OWASP XXX is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
 +
 +
 +
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
 +
 +
== What is XXX? ==
 +
 +
OWASP XXX  provides:
 +
 +
* xxx
 +
* xxx
 +
 +
 +
== Presentation ==
 +
 +
Link to presentation
 +
 +
 +
 +
 +
== Project Leader ==
 +
 +
Project leader's name
 +
 +
 +
== Related Projects ==
 +
 +
* [[OWASP_CISO_Survey]]
 +
 +
 +
 +
| valign="top"  style="padding-left:25px;width:200px;" |
 +
 +
== Quick Download ==
 +
 +
* Link to page/download
 +
 +
 +
 +
== News and Events ==
 +
* [20 Nov 2013] News 2
 +
* [30 Sep 2013] News 1
 +
 +
 +
== In Print ==
 +
This project can be purchased as a print on demand book from Lulu.com
 +
 +
 +
==Classifications==
 +
 +
  {| width="200" cellpadding="2"
 +
  |-
 +
  | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
 +
  | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] 
 +
  |-
 +
  | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
 +
  |-
 +
  | colspan="2" align="center"  | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
 +
  |-
 +
  | colspan="2" align="center"  | [[File:Project_Type_Files_CODE.jpg|link=]]
 +
  |}
 +
 +
|}
 +
 +
=FAQs=
 +
 +
; Q1
 +
: A1
 +
 +
; Q2
 +
: A2
 +
 +
= Acknowledgements =
 +
==Volunteers==
 +
XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:
 +
 +
* xxx
 +
* xxx
 +
 +
==Others==
 +
* xxx
 +
* xxx
 +
 +
= Road Map and Getting Involved =
 +
As of XXX, the priorities are:
 +
* xxx
 +
* xxx
 +
* xxx
 +
 +
Involvement in the development and promotion of XXX is actively encouraged!
 +
You do not have to be a security expert in order to contribute.
 +
Some of the ways you can help:
 +
* xxx
 +
* xxx
 +
 +
  
 
=Project About=
 
=Project About=
{{:Projects/OWASP_Dependency_Check}}  
+
{{:Projects/OWASP_Dependency_Check}}
 +
 
 +
__NOTOC__ <headertabs />
  
[[Category:OWASP Project]]
+
[[Category:OWASP Project]]  [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]]  [[Category:OWASP_Document]]

Revision as of 13:27, 20 January 2014

[edit]

OWASP Project Header.jpg

OWASP XXX

OWASP XXX is...

Introduction

The OWASP Top 10 2013 contains a new entry: A9 - Using Components with Known Vulnerabilities. Dependency-check can currently be used to scan Java applications (and their dependent libraries) to identify any known vulnerable components.

The problem with using known vulnerable components was described very well in a paper by Jeff Williams and Arshan Dabirsiaghi titled, "The Unfortunate Reality of Insecure Libraries". The gist of the paper is that we as a development community include third party libraries in our applications that contain well known published vulnerabilities (such as those at the National Vulnerability Database).

Dependency-check has a command line interface, a Maven plugin, an Ant task, and a Jenkins plugin. The core engine contains a series of analyzers that inspect the project dependencies, collect pieces of information about the dependencies (referred to as evidence within the tool). The evidence is then used to identify the Common Platform Enumeration (CPE) for the given dependency. If a CPE is identified, a listing of associated Common Vulnerability and Exposure (CVE) entries are listed in a report.

Dependency-check automatically updates itself using the NVD Data Feeds hosted by NIST. IMPORTANT NOTE: The initial download of the data may take ten minutes or more, if you run the tool at least once every seven days only a small XML file needs to be downloaded to keep the local copy of the data current.

More information about dependency-check can be found on the dependency-check github pages. Additionally, the source could can be found on github.


Description

Write a description that is just a few paragraphs long


Licensing

OWASP XXX is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.


What is XXX?

OWASP XXX provides:

  • xxx
  • xxx


Presentation

Link to presentation



Project Leader

Project leader's name


Related Projects


Quick Download

  • Link to page/download


News and Events

  • [20 Nov 2013] News 2
  • [30 Sep 2013] News 1


In Print

This project can be purchased as a print on demand book from Lulu.com


Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files CODE.jpg

Q1
A1
Q2
A2

Volunteers

XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:

  • xxx
  • xxx

Others

  • xxx
  • xxx

As of XXX, the priorities are:

  • xxx
  • xxx
  • xxx

Involvement in the development and promotion of XXX is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:

  • xxx
  • xxx


OWASP Project Header.jpg

OWASP Dependency-Check

Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. Currently Java and .NET dependencies are supported; however, support for Node.JS, client side JavaScript libraries, etc. is planned. This tool can be part of a solution to the OWASP Top 10 2013 A9 - Using Components with Known Vulnerabilities.

Introduction

The OWASP Top 10 2013 contains a new entry: A9 - Using Components with Known Vulnerabilities. Dependency-check can currently be used to scan Java applications (and their dependent libraries) to identify any known vulnerable components.

The problem with using known vulnerable components was described very well in a paper by Jeff Williams and Arshan Dabirsiaghi titled, "The Unfortunate Reality of Insecure Libraries". The gist of the paper is that we as a development community include third party libraries in our applications that contain well known published vulnerabilities (such as those at the National Vulnerability Database).

Dependency-check has a command line interface, a Maven plugin, an Ant task, and a Jenkins plugin. The core engine contains a series of analyzers that inspect the project dependencies, collect pieces of information about the dependencies (referred to as evidence within the tool). The evidence is then used to identify the Common Platform Enumeration (CPE) for the given dependency. If a CPE is identified, a listing of associated Common Vulnerability and Exposure (CVE) entries are listed in a report.

Dependency-check automatically updates itself using the NVD Data Feeds hosted by NIST. IMPORTANT NOTE: The initial download of the data may take ten minutes or more, if you run the tool at least once every seven days only a small XML file needs to be downloaded to keep the local copy of the data current.

Quick Download

Version 1.2.3

Links

Documentation

Mailing List

Presentation

Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files CODE.jpg

Volunteers

Dependency-Check is developed by a team of volunteers. The primary contributors to date have been:

As of May 2014, the top priorities are:

  • Resolving all open github issues/feature requests
  • Improving analysis for .NET Dlls
  • Implementing a JavaScript analyzer to support both Node.js and JavaScript libraries such as jquery

Involvement in the development and promotion of dependency-check is actively encouraged! You do not have to be a security expert in order to contribute. How you can help:

  • Use the tool
  • Provide feedback via the mailing list or by creating github issues (both bugs and feature requests are encouraged)
  • The project source code is hosted on github - if you are so inclined fork it and provide push requests!