OWASP Dependency-Check

Dependency-Check is a Software Composition Analysis (SCA) tool suite that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities.

About OWASP Dependency-Check

Introduction

The OWASP Top 10 2013 contained a new entry: A9-Using Components with Known Vulnerabilities. Dependency-Check was created as one of the earliest SCA tools to scan applications (and their dependent libraries) and identify any known vulnerable components. The problem with using known vulnerable components was described very well in a paper by Jeff Williams and Arshan Dabirsiaghi titled, “Unfortunate Reality of Insecure Libraries”. The gist of the paper is that we as a development community include third party libraries in our applications that contain well known published vulnerabilities (such as those at the National Vulnerability Database). Dependency-Check has a command line interface, a Maven plugin, a Gradle plugin, an Ant task and a number of integrations with build tooling such as Jenkins, GitHub Actions and Azure DevOps. The core engine contains a series of analyzers that inspect the project dependencies, collect pieces of information about the dependencies (referred to as evidence within the tool). The evidence is then used to identify the Common Platform Enumeration (CPE) for the given dependency. If a CPE is identified, a listing of associated Common Vulnerability and Exposure (CVE) entries are listed in a report. Other 3rd party services and data sources such as the NPM Audit API, the OSS Index, RetireJS, and Bundler Audit are utilized for specific technologies. Dependency-Check automatically updates itself using the NVD Data Feeds hosted by NIST. ‘'’IMPORTANT NOTE:’’’ The initial download of the data may take ten minutes or more. If you run the tool at least once every seven days, only a small JSON file needs to be downloaded to keep the local copy of the data current.

• https://www.scribd.com/document/175866686/Aspect-Security-the-Unfortunate-Reality-of-Insecure-Libraries

• https://nvd.nist.gov/vuln/search

• https://nvd.nist.gov/products/cpe

• https://www.cve.org/

• https://nvd.nist.gov/vuln/data-feeds

Project Resources

• Unfortunate Reality of Insecure Libraries

• National Vulnerability Database

• Common Platform Enumeration (CPE)

• Common Vulnerability and Exposure (CVE)

• lein-dependency-check

• SonarQube Plugin

• Circle CI Orb

Project Leaders

@media

Project Information

Corporate Supporters

OWASP is a nonprofit foundation improving software security through open-source projects, global communities, and education. All resources are free and open to everyone.

OWASP, the OWASP logo, and Global AppSec are registered trademarks and AppSec Days, AppSec California, AppSec Cali, SnowFROC, OWASP Boston Application Security Conference, and LASCON are trademarks of the OWASP Foundation, Inc.