Tag Archives: utility

DependencyCheck v3.3.1 – A Instrument Composition Analysis Utility That Detects Publicly Disclosed Vulnerabilities In Tool Dependencies

Dependency-Check is a Instrument Composition Analysis ^(http://www.kitploit.com/search/label/Software%20Composition%20Analysis) (SCA) device that makes an try to stumble on publicly disclosed vulnerabilities ^(http://www.kitploit.com/search/label/vulnerabilities) contained within a job’s dependencies. It does this by the use of working out if there is a Now not peculiar Platform Enumeration (CPE) identifier for a given dependency. If found out, it will generate a record linking to the similar CVE entries.
Documentation and links to production binary releases can be found out on the github pages ^(http://jeremylong.github.io/DependencyCheck/). Additionally, additional information about the construction and methods to extend dependency-check can be found out on the wiki ^(https://github.com/jeremylong/DependencyCheck/wiki).

OWASP Dependency-Check Plugin internet web page ^(https://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin).

Command Line
Additional detailed instructions can be found out on the dependency-check github pages ^(http://jeremylong.github.io/DependencyCheck/dependency-check-cli/). The latest CLI can be downloaded from bintray’s dependency-check internet web page ^(https://bintray.com/jeremy-long/owasp/dependency-check).
On *nix

$ ./bin/dependency-check.sh -h
$ ./bin/dependency-check.sh --project Checking out --out . --scan [path to jar files to be scanned]

On House home windows

> .bindependency-check.bat -h
> .bindependency-check.bat --project Checking out --out . --scan [path to jar files to be scanned]

On Mac with Homebrew ^(http://brew.sh/)

$ brew change && brew arrange dependency-check
$ dependency-check -h
$ dependency-check --project Checking out --out . --scan [path to jar files to be scanned]

Maven Plugin
Additional detailed instructions can be found out on the dependency-check-maven github pages ^(http://jeremylong.github.io/DependencyCheck/dependency-check-maven). By means of default, the plugin is tied to the read about segment (i.e. mvn read about). Then again, one can directly invoke the plugin by means of mvn org.owasp:dependency-check-maven:read about.
The dependency-check plugin can be configured the usage of the following:




...

org.owasp
dependency-check-maven



read about




...

...

...

Ant Task
For instructions on using the Ant Task, please see the dependency-check-ant github internet web page ^(http://jeremylong.github.io/DependencyCheck/dependency-check-ant).

Building Usage
The following instructions outline learn how to collect and use the existing snapshot. While each and every function is to handle a forged snapshot it is recommended that the release permutations listed above be used.
The repository has some large data on account of examine assets. The crowd has tried to scrub up the history as much as possible. Alternatively, it is recommended that you just perform a shallow clone to save some yourself time:

git clone --depth 1 https://github.com/jeremylong/DependencyCheck.git

On *nix

$ mvn arrange
$ ./cli/function/unencumber/bin/dependency-check.sh -h
$ ./cli/function/unencumber/bin/dependency-check.sh --project Checking out --out . --scan ./src/examine/assets

On House home windows

> mvn arrange
> .dependency-check-clitargetreleasebindependency-check.bat -h
> .dependency-check-clitargetreleasebindependency-check.bat --project Checking out --out . --scan ./src/examine/assets

Then load the following ‘dependency-check-report.html’ into your favorite browser.

Docker
Throughout the following example it is assumed that the provision to be checked is throughout the provide running list. Energy data and record directories are used, allowing you to break the container after operating.

#!/bin/sh

OWASPDC_DIRECTORY=$HOME/OWASP-Dependency-Check
DATA_DIRECTORY="$OWASPDC_DIRECTORY/data"
REPORT_DIRECTORY="$OWASPDC_DIRECTORY/research"

if [ ! -d "$DATA_DIRECTORY" ]; then
echo "To start with rising persistent directories"
mkdir -p "$DATA_DIRECTORY"
chmod -R 777 "$DATA_DIRECTORY"

mkdir -p "$REPORT_DIRECTORY"
chmod -R 777 "$REPORT_DIRECTORY"
fi

# Be sure that we are the usage of the most recent type
docker pull owasp/dependency-check

docker run --rm
--volume $(pwd):/src
--volume "$DATA_DIRECTORY":/usr/percentage/dependency-check/data
--volume "$REPORT_DIRECTORY":/record
owasp/dependency-check
--scan /src
--format "ALL"
--project "My OWASP Dependency Check Project"
--out /record
# Use suppression like this: (/src == $pwd)
# --suppression "/src/protection/dependency-check-suppression.xml"

Fortify Notes

Upgrading from 1.x.x to 2.x.x
Realize that when upgrading from type 1.x.x that the following changes will wish to be made on your configuration.

Suppression file
With the intention to reinforce greater than one suppression data, the mechanism for configuring suppression data has changed. As such, consumers that have defined a suppression file in their configuration ^(http://www.kitploit.com/search/label/Configuration) will wish to change.
See the examples below:

Ant
Earlier:

  failBuildOnCVSS="3"
suppressionFile="suppression.xml">

New:

  failBuildOnCVSS="3">

Maven
Earlier:


org.owasp
dependency-check-maven

suppression.xml

New:


org.owasp
dependency-check-maven


suppression.xml


Gradle
In conjunction with the changes to the suppression file, the obligation dependencyCheck has been renamed to dependencyCheckAnalyze.
Earlier:

buildscript 
observe plugin: 'org.owasp.dependencycheck'

dependencyCheck
suppressionFile='path/to/suppression.xml'

read about.dependsOn dependencyCheckAnalyze

New:

buildscript 
observe plugin: 'org.owasp.dependencycheck'

dependencyCheck
suppressionFiles = ['path/to/suppression1.xml', 'path/to/suppression2.xml']

read about.dependsOn dependencyCheckAnalyze
Download DependencyCheck ^(https://github.com/jeremylong/DependencyCheck)