Dependency-Check
5.2.1 Dependency-Check
OWASP Dependency-Check is a tool that provides Software Composition Analysis (SCA) from the command line. It identifies the third party libraries in a web application project and checks if these libraries are vulnerable using the NVD database.
Dependency-Check is an OWASP Flagship project and can be downloaded from the github releases area. Dependency-Check was started in September 2012 and since then has been continuously supported with regular releases.
What is Dependency-Check?
Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency.
The core engine contains a series of analyzers that inspect the project dependencies and identify the CPE for the given dependency. If a CPE is identified then it is cross referenced to the NIST CVE database and any associated Common Vulnerability and Exposure (CVE) entries are listed in the report.
Dependency-Check’s core analysis engine can be used as:
- an Ant Task
- a Command Line Tool
- Gradle Plugin
- Jenkins Plugin
- Maven Plugin
- SBT Plugin
Why use it?
Checking for vulnerable components, ‘A06 Vulnerable and Outdated Components’, is in the OWASP Top Ten and is one of the most straight-forward and effective security activities to implement. The Dependency-Check tool provides checks for vulnerable components that can be run from the command line.
This is useful for development teams; the ability to check for vulnerable application components from the command line gives immediate feedback to the developer without having to wait for a pipeline to run.
Dependency-Check also provides plugins to check for vulnerable components for CI/CD pipelines.
How to use it
The OWASP Spotlight series provides an example of the risks involved in using out of date and vulnerable libraries, and how to use Dependency-Check: ‘Project 2 - OWASP Dependency Check’.
Refer to the Dependency-Check documentation to get started running from the command line:
- ensure Java is installed, for example from Eclipse Adoptium
- download and unzip the latest Dependency-Check release
- navigate to the Dependency-Check ‘bin’ directory and run, using threat Dragon as an example:
./dependency-check.sh --project "Threat Dragon" --scan ~/github/threat-dragon - open the html output file and act on the findings
The command line is useful for immediate debugging development. Depending on what automation environment is in place a plugin can also be installed into a pipeline which can then generate the SCA reports.
References
- OWASP Dependency-Check project
- OWASP Dependency-Check documentation
- OWASP CI/CD Security Cheat Sheet
- OWASP Top 10
The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.