Analyzing Vulnerabilities in Third Party Library using OWASP Dependency Check CLI

Analyzing Vulnerabilities in Third Party Java Library using OWASP Dependency Check CLI

All most all the time we use java libraries when developing our java application or software. Before using a 3rd party library, we must check if there are any known security vulnerabilities reported against that library. However before using a 3rd party library, it is important to check if there are any known security vulnerabilities reported against these libraries. For that, you can search in the National Vulnerability Database [2] and make sure it is safe to use the library in your application. However, it is difficult to do this manually when you have many external dependencies in your application. In that case we can use OWASP Dependency Check tool [2].

Below I have explained how to use the command line tool of OWASP Dependency Check to analyze external dependencies and generate a report based on the known vulnerabilities detected.

1

First we have to download the dependency-check tool and java library that you suppose to use in your software. For that you can use following link to download the dependency-check tool.

After you download the command line there is a directory called bin, inside that bin directory you can find two executable script files. Dependency-check.bat file is for running the tool on Windows and the dependency-check.sh file is for running on Linux. Then you can find the executable script. dependency-check.bat file is for running the tool on Windows and the dependency-check.sh file.

2

When you run the OWASP Dependency Check for the very first time, it would download the known vulnerabilities from the National Vulnerability Database (NVD) and it would maintain these information in a local database. So, when running this for the very first time, it would take some time as it has to download all the vulnerability details.

3

4

It is needed to use following basic parameters to execute the CLI in order to get the necessary outcome that we need.

Parameter Description
–project You can specify a name for the project and this would appear in the report
–scan The folder which contains the 3rd party dependency libraries
–out The folder where the vulnerability analysis reports should be generated

For Linux System use this command:

./dependency-check.sh  – -project “” –scan – -out

For Windows System use this command:

./dependency-check.bat  –project “” –scan –out

  • Once you run the Dependency Check against the folder where your project dependencies are, it would generate the vulnerability analysis report.

5

6

7

Dependency-Check Report - Opera3

S.H.M Lahiru Prabath Balasuriya.

 

Reference

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s