Analyzing Vulnerabilities in Third Party Java Library using OWASP Dependency Check CLI
All most all the time we use java libraries when developing our java application or software. Before using a 3rd party library, we must check if there are any known security vulnerabilities reported against that library. However before using a 3rd party library, it is important to check if there are any known security vulnerabilities reported against these libraries. For that, you can search in the National Vulnerability Database  and make sure it is safe to use the library in your application. However, it is difficult to do this manually when you have many external dependencies in your application. In that case we can use OWASP Dependency Check tool .
Below I have explained how to use the command line tool of OWASP Dependency Check to analyze external dependencies and generate a report based on the known vulnerabilities detected.
First we have to download the dependency-check tool and java library that you suppose to use in your software. For that you can use following link to download the dependency-check tool.
After you download the command line there is a directory called bin, inside that bin directory you can find two executable script files. Dependency-check.bat file is for running the tool on Windows and the dependency-check.sh file is for running on Linux. Then you can find the executable script. dependency-check.bat file is for running the tool on Windows and the dependency-check.sh file.
When you run the OWASP Dependency Check for the very first time, it would download the known vulnerabilities from the National Vulnerability Database (NVD) and it would maintain these information in a local database. So, when running this for the very first time, it would take some time as it has to download all the vulnerability details.
It is needed to use following basic parameters to execute the CLI in order to get the necessary outcome that we need.
|–project||You can specify a name for the project and this would appear in the report|
|–scan||The folder which contains the 3rd party dependency libraries|
|–out||The folder where the vulnerability analysis reports should be generated|
For Linux System use this command:
./dependency-check.sh – -project “” –scan – -out
For Windows System use this command:
./dependency-check.bat –project “” –scan –out
- Once you run the Dependency Check against the folder where your project dependencies are, it would generate the vulnerability analysis report.
S.H.M Lahiru Prabath Balasuriya.