Checking vulnerabilities in third party jars

[DependencyUser]

Hi,

I want to scan all the third party jars used in my project.

Please suggest me the best way to do that with Dependency check.

I have tried "dependency-check-cli". It gives me below error.

C:\DependencyCheck>dependency-check.bat --app "test" --scan "C:\ThirdPartyJars"

9 Jun, 2014 11:35:22 AM org.owasp.dependencycheck.App runScan

SEVERE: Unable to connect to the dependency-check database; analysis has stopped but it gives me below error 

I tried Ant task plugin also.

<taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask" classpath="C:\apache-ant-1.8.4\lib\dependency-check-ant-1.2.1.jar"/>

<target name="dependency-check" description="Dependency-Check Analysis">

<dependency-check 

applicationname="myApp" 

reportoutputdirectory="${basedir}" 

reportformat="ALL">

<fileset dir="${lib}">

<include name="**/*.jar"/>

</fileset>

</dependency-check>

</target>

It gives me below error while executing my build.xml.

The <dependency-check> type doesn't support the nested "fileset" element.

I am new to using this tool. Please help me to get this job done.

Thanks in Advance.

[Jeremy Long]

I'm sorry you are having problems with this. Couple of questions/suggestions. With regard to the CLI version I am a bit confused as to the directory structure you have (unless you've modified the snippets in your email. When you extract the archive for dependency-check-cli you should have a directory structure like:

c:\dependency-check\bin

c:\dependency-check\license

c:\dependency-check\repo

The dependency-check directory must be writable as the tool will create a data directory in that same folder. The bin directory contains the bat file. If you extracted the archive to the root of C and then renamed "bin" to DependencyCheck you will have a repo and licenses directory at the root of C and programs can't write to the root of C unless they are running as admin. If this is the case, make a dependency-check directory and extract the contents of the archive there. Then you should be able to run the bat file.

With regard to the Ant configuration, I am by no means an Ant expert, but I would want to know what ${lib} was defined as.  

--Jeremy

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[DependencyUser]

Thanks much Jeremy for replying.

 

Actually, I have added "C:\dependency-check-1.2.1-release\bin" in the classpath. 

That is why I am able to access dependency-check.bat file from other folders also.

 

My directory structure looks similar to as you have written.

C:\dependency-check-1.2.1-release\licenses

C:\dependency-check-1.2.1-release\bin

C:\dependency-check-1.2.1-release\repo

In fact when I ran the dependency-check.bat file for the first time, it got executed and a data folder also got created as "C:\dependency-check-1.2.1-release\data".

Two files with names "cve.2.9.h2.db" and "cve.2.9.trace.db" are created in data folder but the analysis did not happen. I got an error something like mentioned below.

WARNING: Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.

org.owasp.dependencycheck.Engine analyzeDependencies

SEVERE: Unable to connect to the database

 

After that I again tried executing the bat file, but every time I am getting below error.

C:\dependency-check-1.2.1-release\bin>dependency-check.bat --app "test" --scan "C:\ThirdPartyJars"

9 Jun, 2014 11:35:22 AM org.owasp.dependencycheck.App runScan

SEVERE: Unable to connect to the dependency-check database; analysis has stopped but it gives me below error

Please let me know where I need to correct myself.

 

With regard to Ant plugin I am able to figure it out. The Ant version was not compatible with the dependency ant plugin jar.

I have updated ANT jar. Now, I am able to generate reports using that.

 

Thanks in Advance.

[Jeremy Long]

I definately need to update an error message:

WARNING: Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.

org.owasp.dependencycheck.Engine analyzeDependencies

While true - the main cause of this issue is that you are on a network that does not allow external connections unless you go through a proxy. Set the proxyurl (this will soon be changed to proxyserver as it does not accept a URL... not sure what I was thinking when I named that argument) and proxyport. See the advanced configuration section here: http://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html

--Jeremy

[DependencyUser]

Thanks Jeremy.

 

I deleted the data folder and again executed the scan on the libraries.

C:\dependency-check-1.2.1-release\bin>dependency-check.bat --app "test" --scan "C:\lib" --out "C:/Reports"

It worked for me without making any proxy settings. Why I deleted and tried this again is beacuse once it downloaded the content in Data folder so it was able to communicate with external entities.

Might be the data download was incomplete or some other reason. I have got a html report "dependency-check-report.html" :)

 

I want to confirm one thing from you Jeremy. If I want to scan all the jars in a folder "C:/lib" and its subfloders "C:/lib/commonLib", "C"/lib/antLib" etc, then scanning "C:/lib"  folder will scan all the jars recursively inside it or I have to give any wildcards or regular expressions along with that.