OWASP SafeNuGet

From OWASP
Revision as of 12:26, 23 June 2013 by Eoftedal (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

The OWASP Top 10 2013 contains a new entry: A9 - Using Components with Known Vulnerabilities. Dependency-check can currently be used to scan Java applications (and their dependent libraries) to identify any known vulnerable components.

The problem with using known vulnerable components was described very well in a paper by Jeff Williams and Arshan Dabirsiaghi titled, "The Unfortunate Reality of Insecure Libraries". The gist of the paper is that we as a development community include third party libraries in our applications that contain well known published vulnerabilities (such as those at the National Vulnerability Database).

OWASP SafeNuGet is an MSBuild task which will warn developers if they are using NuGet packages with known vulnerabilities.

More information about dependency-check can be found on the Github SafeNuGet site.

Project About

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP SafeNuGet (home page)
Purpose: OWASP SafeNuGet is an MsBuild task to warn about the use of NuGet libraries with known vulnerabilities.
License: GNU GPL v3 License
who is working on this project?
Project Leader(s):
  • Erlend Oftedal @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: [N/A Mailing List Archives]
Project Roadmap: View
Main links:
Key Contacts
  • Contact Erlend Oftedal @ to contribute to this project
  • Contact Erlend Oftedal @ to review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
The latest release is found here: http://nuget.org/packages/SafeNuGet/

The code is here: http://github.com/OWASP/SafeNuGet/

last reviewed release
Not Yet Reviewed


other releases