Dependency check and c, c++

[Ian R]

We are currently using Jenkins with Dependency check plug-in for our java app builds and it works wonderfully. Very soon, we plan to move another one of our apps, which is written in c, c++ to Jenkins. So, naturally we want to be able to utilize dependency check during those builds as well. However, I was not able to find out if DP will work on c and c++ builds.

Will dependency check be able to detect know vulnerabilities in c and c++ builds?

Thanks.

[Steve Springett]

Dependency-Check, and thus the Jenkins plugin, supports the analysis of various Java archives, NuGet nuspec, and .NET assemblies. All three of these have standardized methods of applying metadata to the files which Dependency-Check uses as evidence during analysis. If the C/C++ code is .NET, then yes, it will be supported. On non-Windows build machines you'll just need to install Mono and specify the path in Jenkins global configuration. No additional configuration is necessary on Windows machines - it just magically works.

I don't believe there's a standard way of applying metadata to old school C code built with make (or similar). One option would be to create your own parser, although this may prove to be extremely challenging. The other option is to use Dependency-Track.

https://www.owasp.org/index.php/OWASP_Dependency_Track_Project

(The OWASP wiki appears to be down. Be patient, I'm sure someone is working on it.)

Dependency-Track is a complimentary tool to Dependency-Check (and actually embeds the Dependency-Check core engine). It's basically an asset management system for cataloging components. It uses it's asset database as the sole source of evidence during a Dependency-Check analysis. The components could be anything from third-party libraries, applications, or entire operating systems; doesn't really matter.

Feel free to grab the sources, compile and deploy. The first public beta will be available next week.

--Steve