If a CPE is identified, a listing of associated Common Vulnerability and Exposure (CVE) entries are listed in a report. The evidence is then used to identify the Common Platform Enumeration (CPE) for the given dependency. The core engine contains a series of analyzers that inspect the project dependencies, collect pieces of information about the dependencies (referred to as evidence within the tool).
The gist of the paper is that we as a development community include third party libraries in our applications that contain well known published vulnerabilities (such as those at the National Vulnerability Database).ĭependency-check has a command line interface, a Maven plugin, an Ant task, and a Jenkins plugin.
The problem with using known vulnerable components was described very well in a paper by Jeff Williams and Arshan Dabirsiaghi titled, “ Unfortunate Reality of Insecure Libraries”. Dependency Check can currently be used to scan applications (and their dependent libraries) to identify any known vulnerable components. The OWASP contains a new entry: A9-Using Components with Known Vulnerabilities. If found, it will generate a report linking to the associated CVE entries. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies.
0 kommentar(er)
