dependency-check v1.0.7 released

[Jeremy Long]

All,

Last Sunday I pushed 1.0.6 and quickly realized there were two issues that needed to be fixed before a formal announcement of the new release. As such, 1.0.7 was released today (CLI, Ant, Maven, Jenkins)!

Summary of new features/improvements:

• There is now a was to suppress findings. This is most easily done using the HTML report as it contains suppress buttons to help generate the necessary XML. However, the schema for the suppression file format is fairly simple and can be found here. It is a fairly easy to create a suppression file, an example suppression file can be found in the test resources. Using the HTML report to generate the file is the easiest, but it also is limited to only suppressing specific CPE or CVE entries. It is also possible to generate a suppression filter for specific CWE entries or to filter out CVE entries with CVSS scores below a specified threshold.
• In general, most false positives are generated due to incorrect CPE matches. As such, I would recommend suppressing false positive CPE entries for specific dependencies.
• A general note about false positives - if you are scanning a WAR file that was obtained from a 3rd party I would suggest being very careful about suppressing/ignoring CVEs. When scanning JAR files the false positives are generally easy to figure out. However, I have seen exploded WAR files contained within a different WAR; there were resource JAR files that contained localized resources and these language packs had an odd CPE and related CVEs. The CPE looked like it was completely unrelated to the WAR file I had scanned; however, upon closer inspection of the CVEs and looking at the JSPs in the WAR file I was able to figure out that the findings were actually correct. I'm specifically being vague as the specific instance I have seen is available, still being used, but the CVEs are not correctly linked in the NVD yet (I'm still working to get things updated with the NVD). My general warning about suppression is just be careful when scanning 3rd party WAR files - the way dependency-check works it won't detect things if they are exploded and re-packaged.
• The other improvement is related to the initial download of data from the NVD. I have multi-threaded the download so more then one file can be downloaded at a time and the processing of the files happens concurrently with downloads. Overall, a full download and processing of the NVD CVE data in version 1.0.5 took about 20 minutes on my machine; it now takes under 5 minutes. However, your bandwidth for the download still matters and could drastically affect performance. The good news is that if you run the tool at least once every seven days you only need to download and process a single small XML file to update the database (generally under 30 seconds).

The next features we will be implementing are the ability to use a shared database, such as a single shared DB on a central server. This will aid in keeping the data up-to-date in large organizations. We will also be making some minor changes to the XML report which *might* break compatibility with any parsers people have written, such as the ability to import these findings into ThreadFix (very cool tool and I would highly recommend checking it out if you do security assessments and/or have to manage the resulting risks). Lastly, I will be updating the license from GPLv3 to Apache 2.0. Once these three items have been completed we will begin working on an Enterprise Deployment Guide.

---Jeremy

[Henri Gomez]

Good news and good move.

Sharing CPE/CVE to common repository (whatever solution would be
used), will help DC to be used more heavily inside companies.

Congrats

2013/12/4 Jeremy Long <jerem...@gmail.com>:

> --
> You received this message because you are subscribed to the Google Groups
> "Dependency Check" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to dependency-che...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

[Jacques Le Roux]

Despites few false positive this is very useful, thanks!

Jacques