Download Owasp Dependency Check
Gabriella Kallin
Open source projects often suffer from security vulnerabilities. If left unchecked, these vulnerabilities can compromise entire systems that rely on these open source tools. According to a recent security report by Open Source Security and Risk Analysis (OSSRA), an average of 528 open source components were found per application in 2020.
OWASP Dependency-Check identifies vulnerabilities using Analyzers. These are dedicated open source projects that execute the entire dependency scanning process. Essentially a sniffing tool, analyzers are responsible for examining every data packet to verify its relevancy and record its information. They can be used for data retrieval and error scanning.
The Common Platform Enumeration (CPE) of the dependency is determined, and the result is assigned a level of confidence. This level of confidence is based on the lowest confidence rating of the evidence used. The identified CPE is recorded in the Lucene Index and subsequently cross-checked against the Common Vulnerabilities and Exposures (CVE) entries in the National Vulnerability Database (NVD), a free-to-use database of known information-security vulnerabilities.
I'm looking for something that can look at my package.json/yarn.lock (I use yarn) and tell me if any of my dependencies have vulnerabilities. I see that OWASP has a dependency check scanner with plugins for certain types of applications, but I don't see anything for JS.
thank you for your answers. Our idea was to be able to run a pipeline to check the status of the project, including vulnerabilities and we thought that SonarCloud dashboard could be a good option to show all the issues detected by that pipeline.
We have changed AppDelegate file to test but it seems that passing a directory path is not working:
None of those were libraries listed in our package.json, so those must be transitive dependencies of one of the libraries we installed. We need to track them down. At the command-line we can run npm list to find out. I tried it for yargs-parser which was listed in two of the vulnerabilities reported by dependency-check:
The whole dependency ecosystem is fragile. A recent incident gave the entire NodeJS community a brutal reality check as one programmer almost broke the internet by deleting 11 lines of code. Attackers could have easily taken the namespaces of these packages, bumped the version, and added malicious code replacing the actual expected code.
Adam Baldwin from the NSP sees a future where dependency security is part of the SDLC: "Soon you will see a number of products from us including continuous security monitoring and integration with GitHub (and other products) so that you can plug in security monitoring, detection, alerting, and remediation for the areas of your development lifecycle that are relevant to you."
RetireJS is an open-source, JavaScript-specific dependency checker. The project is primarily focused on ease of use. That's why it has multiple components, including a command-line scanner and plugins for Grunt, Gulp, Chrome, Firefox, ZAP, and Burp. RetireJS also made a site-checking service available to JS developers who want to find out if they're using a JavaScript library with known vulnerabilities.
OSSIndex supports several technologies. It extracts dependency information from NPM, Nuget, Maven Central Repository, Bower, Chocolatey, and MSI (which means it's covering the JavaScript, .NET/C#, and Java ecosystems). OSSIndex also provides a vulnerability API for free.
Dependency-check is an open-source command line tool from OWASP that is very well maintained. It can be used in a stand-alone mode as well as in build tools. Dependency-check supports Java, .NET, JavaScript, and Ruby. The tool retrieves its vulnerability information strictly from the NIST NVD.
Bundler-audit is an open-source, command-line dependency checker focused on Ruby Bundler. This project retrieves its vulnerability information from the NIST NVD and RubySec, which is a Ruby vulnerability database.
Hakiri is a commercial tool that offers dependency checking for Ruby and Rails-based GitHub projects using static code analysis. It offers free plans for public open-source projects and paid plans for private projects. It uses NVD and the Ruby Advisory Database.
It offers a ton of plugins to several IDEs, deployment systems, and source repositories, as well as a command-line interface. Finally, Source Clear is using "vulnerable methods identification," which is a way to figure out whether a vulnerability found in a dependency is actually being used by the application. It's a feature that dramatically reduces false positives and gives developers detailed target reports for the vulnerabilities that matter. Source Clear just announced plans to offer a free version of its software.
OWASP Dependency-Check is a tool that checks for known vulnerabilities in third-party libraries used by a software application. It does this by checking the dependencies of the application against the National Vulnerability Database (NVD), which is maintained by the US National Institute of Standards and Technology (NIST).
In addition to checking for known vulnerabilities, Dependency-Check can also help you identify when you are using an outdated version of a library that may have been superseded by a more secure version. This can help you ensure that your application is using the most secure versions of the libraries it depends on.
Dependency checker does what the name suggests - it checks your dependencies looking for ones with known vulnerabilities. Once it finds some it will let you know what they are a link to the National Vulnerability Database (NVD). It is fast, easy to set up and gives you some confidence that your code is built on a solid foundation.
With your dependencies checked what about your own code. Zed Attack Proxy (ZAP) is the tool for this. It checks your code by doing both passive and active attacks against your site or API. Passive attacks are things like information disclosure such as your server version in the headers. In contrast, active attacks directly attack your application using attack vectors such as SQL injection.
When developing software, we have to use 3rd party npm packages in many cases. For example, If we want to make an HTTP call to an API, from our application we would use the Axios library. However, before using a 3rd party library, it is important to check if there are any known security vulnerabilities reported against these libraries. In such a case, you can use a tool to do the search for you. OWASP Dependency-Check is one among them.
2) After downloading and extract. Goto dependency-check folder, In the bin directory you can find the executable script. dependency-check.bat file is for running the tool on Windows and the dependency-check.sh file is for running on Linux.
OWASP dependency-check includes an analyzer that will scan Node Package Manager package specification files that works in conjunction with the Node Audit Analyzer to create a bill-of-materials for a Node.js project.
I have to admit, with a high degree of shame, that I didn't know about the OWASP dependency check maven plugin. And seems to have been around since 2013. And, apparently, a thousand projects on GitHub are using it already.
In the past, I've gone manually through dependencies to check them against vulnerability databases, or, in many cases, I was just blissfully ignorant about any vulnerabilities that my dependencies had.
The purpose of this post is just that - to recommend the OWASP dependency check maven plugin as a must-have in practically every maven project (there are dependency-check tools for other build systems as well).
Then you can configure a threshold for vulnerabilities and fail the build if new ones appear - either by you adding a vulnerable dependency or in case a vulnerability is discovered in an existing dependency.
Now, checking dependencies for vulnerabilities is just one small aspect of having your software secure and it shouldn't give you a false sense of security (a sort-of "I have my dependencies checked, therefore my system is secure" fallacy). But it's an important aspect. And having that check automated is a huge gain.
While you can control the security of your codebase through audits, code review, and static analysis, your application has no direct control over vulnerabilities present in third party code. These dependencies are typically specified through a descriptor, like an Apache Maven POM. Vulnerabilities can either be present in the code of upstream dependencies configured explicitly or through transitive dependencies. A sample dependency tree may look like this:
Today's development process typically includes running commits through a Continuous Integration (CI) system that runs automated tests to help facilitate faster and iterative development while lowering the chance of regressions. In a similar vein, it is increasingly becoming important to shift security left, to find vulnerabilities as early in the development lifecycle as possible. There are two reasons why you should automate dependency checking into CI
If you prefer an approach with less friction, you can choose an alert-only approach where the security team is alerted of vulnerabilities present in a new branch. This typically requires some manual triage by a security engineer. In the following example, alerts are sent to a Slack channel for triage by a script that parses the JSON output of the dependency check.
In the general dashboard of the Dependency-Track server, we can find some relevant information like how many projects we have registered in the tool and how many of them are vulnerable. The amount of vulnerabilities discovered displayed in the Portfolio of Vulnerabilities chart will update based on the fixes,updates we apply to our dependencies or if there are new vulnerabilities discovered for our actual portfolio of third party dependencies divided based on severity based on a CVSS v3 score. Also, we can check the total amount of software components we have against the amount of them that are vulnerables in another chart.
dafc88bca6