OWASP Developer Guide

Dependency-Check

DepCheck logo

5.2.1 Dependency-Check

OWASP Dependency-Check is a tool that provides Software Composition Analysis (SCA) from the command line. It identifies the third party libraries in a web application project and checks if these libraries are vulnerable using the NVD database.

Dependency-Check is an OWASP Flagship project and can be downloaded from the github releases area. Dependency-Check was started in September 2012 and since then has been continuously supported with regular releases.

What is Dependency-Check?

Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency.

The core engine contains a series of analyzers that inspect the project dependencies and identify the CPE for the given dependency. If a CPE is identified then it is cross referenced to the NIST CVE database and any associated Common Vulnerability and Exposure (CVE) entries are listed in the report.

Dependency-Check’s core analysis engine can be used as:

  • an Ant Task
  • a Command Line Tool
  • Gradle Plugin
  • Jenkins Plugin
  • Maven Plugin
  • SBT Plugin

Why use it?

Checking for vulnerable components, ‘A06 Vulnerable and Outdated Components’, is in the OWASP Top Ten and is one of the most straight-forward and effective security activities to implement. The Dependency-Check tool provides checks for vulnerable components that can be run from the command line.

This is useful for development teams; the ability to check for vulnerable application components from the command line gives immediate feedback to the developer without having to wait for a pipeline to run.

Dependency-Check also provides plugins to check for vulnerable components for CI/CD pipelines.

How to use it

The OWASP Spotlight series provides an example of the risks involved in using out of date and vulnerable libraries, and how to use Dependency-Check: ‘Project 2 - OWASP Dependency Check’.

Refer to the Dependency-Check documentation to get started running from the command line:

  • ensure Java is installed, for example from Eclipse Adoptium
  • download and unzip the latest Dependency-Check release
  • navigate to the Dependency-Check ‘bin’ directory and run, using threat Dragon as an example: ./dependency-check.sh --project "Threat Dragon" --scan ~/github/threat-dragon
  • open the html output file and act on the findings

The command line is useful for immediate debugging development. Depending on what automation environment is in place a plugin can also be installed into a pipeline which can then generate the SCA reports.

References


The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.

\newpage