Dependency on Central Repository

[George C.]

How much of analysis depends on Central Repository? Im trying to set up Dependency Check behind firewall. I managed to schedule import of NVD but when i ran scan on some of our setups, majority fails to be identified (i.e. No CPE assigned). For example scanning a typical Tomcat set up, out of 69 jars only 5 identified. Among unidentified are ant.jar, most of commons-*, catalina.jar. Evidence count on these ranges between 3-8, afew go as high as 12-17 but unfortunately no CPE assigned.

Yes I do realize that Central Repo is needed but did not expect it to be to such extent. Or is there something else I might be doing wrong? No obvious errors in the logs either, apart from failed connection to central repo and git hub where it tries to check the latest ver.

Any help will be appreciated!

[Jeremy Long]

George,

Central is used for two things - first to pull the GAV and add that as evidence. In addition, if the JAR is in Central and a local copy of the pom.xml file does not exist (i.e. contained within the JAR itself) then dependency-check will attempt to download the pom.xml and use additional information contained within for identification.

Not all JARs scanned have CPE identifiers. In fact, the only JAR files that do have CPE identifiers have associated CVEs. The fact that a library was not identified as having a CPE means dependency-check was unable to identify any known vulnerabilities in the library (where "known"=published in the NVD). You can do a few quick manual checks by searching the NVD for the "non-identified" libraries to see if you are running into any false negatives (and if you do find false negatives - please report them).

Best Regards,

Jeremy Long

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[George Chorny]

Ok that sounds reassuring. Thank you for the prompt response! 

So tl;dr - Central Repository is needed for additional evidence to avoid false negatives. 

What would be the confidence level drop if we disable Central Repository analyzer? 

Thanks

George 

[Jeremy Long]

George,

Unfortunately, I haven't tried to scan a large repository with and without the CentralAnalyzer being enabled. As such, I am unable to answer your question as to how many JAR files do not contain pom.xml files where the POM hosted on Central contains more then the minimum GAV. The only one I know of is that some of the Spring libraries have a full pom.xml (containing Vendor, Description, etc. entries in the pom.xml in Central); because Spring is built with Gradle there is no pom.xml embedded in the JAR.

--Jeremy