At work, I wanted to check if there were any vulnerabilities in the JAVA libraries that were being used. This is when I remembered of an old project – OWASP Dependency-Check. I was pleasantly surprised to see that it was still being updated and maintained by Jeremy Long.
It really did work for me and I ended up updating the few libraries that were being used in my project!
What is OWASP Dependency-Check?
OWASP Dependency-Check is an open source project that allows you to identify the use of known vulnerable components in Java and .NET applications, while support for Python, Ruby, PHP (composer), CocoaPods, Swift Package Manager and Node.js applications is being actively evaluated. Limited support for C/C++ build systems (autoconf and cmake) is also present. It performs software composition analysis by collecting information about the files (file names, POM files, ZIP files, native libraries, .NET assemblies, package names, etc.) it scans from files such as Manifest.mf, pom.xml, and the package names, etc; within the JAR files. It also has heuristics in place, so that the information from the various sources into the report. This detected information is then matched against the NVD database.
Currently, the OWASP Dependency-Check core analysis engine can be used as:
- Ant Task
- Command Line Tool – On Windows, *NIX.
- Gradle Plugin
- Jenkins Plugin
- Maven Plugin – Maven 3.1 or newer (eg. mvn org.owasp:dependency-check-maven:check)
- SBT Plugin
The only problem that I observed with this approach is that it is false-negative prone. For example, what if a JAR file does not have a pom.xml, or what if the library name has been edited? The other problem is that this project identifies only known vulnerabilities. This fact is also known to the author and hence, he has added “hints” inside the report pointing it out to you!
How do you run OWASP Dependency-Check?
On my test Windows machine, I simply downloaded the standalone archive, pointed to it in the command prompt and boom!
dependency-check.bat -s C:\temp\ --project First
The open source project went on to check for updates and downloaded the necessary CVE information from NVD:
[INFO] Checking for updates [INFO] NVD CVE requires several updates; this could take a couple of minutes. [INFO] Download Started for NVD CVE - 2002 [INFO] Download Started for NVD CVE - 2004 [INFO] Download Started for NVD CVE - 2003 --- SNIP ---
After this was done, it started the database analysis and began scanning the project and within no time, it was done:
--- SNIP --- [INFO] Processing Complete for NVD CVE - 2016 (6379 ms) [INFO] Begin database maintenance. [INFO] End database maintenance. [INFO] Check for updates complete (208759 ms) [INFO] Analysis Started [INFO] Finished Archive Analyzer (5 seconds) [INFO] Finished File Name Analyzer (0 seconds) [INFO] Finished Jar Analyzer (0 seconds) [INFO] Finished Central Analyzer (16 seconds) [INFO] Finished Dependency Merging Analyzer (0 seconds) [INFO] Finished Version Filter Analyzer (0 seconds) [INFO] Finished Hint Analyzer (0 seconds) [INFO] Created CPE Index (1 seconds) [INFO] Finished CPE Analyzer (2 seconds) [INFO] Finished False Positive Analyzer (0 seconds) [INFO] Finished Cpe Suppression Analyzer (0 seconds) [INFO] Finished NVD CVE Analyzer (1 seconds) [INFO] Finished Vulnerability Suppression Analyzer (0 seconds) [INFO] Finished Dependency Bundling Analyzer (0 seconds) [INFO] Analysis Complete (27 seconds)
It saved a nice dependency-check-report.html in the bin directory containing all the evidence, artifacts, etc. A sample report can also be found on the project website here. All in all a very good project!
Download owasp dependency-check:
You can download OWASP Dependency-Check v1.4.5 here.