In this blog, we will see what OWASP Dependency Check is and how to use it to identify vulnerable Open-Source libraries.
So first, we will see what is OWASP Dependency check?
OWASP Dependency Check is an open-source Software Composition Analysis tool by OWASP.
Dependency Check scans the source code, binaries, and packaging format to identify vulnerable open-source libraries used in the software.
Here is the list of languages, file types, and packaging formats that Dependency Check supports.
- Zip archive format (*.zip, *.ear, *.war, *.jar, *.sar, *.apk, *.nupkg); Tape Archive Format (*.tar); Gzip format (*.gz, *.tgz); Bzip2 format (*.bz2, *.tbz2); RPM format (*.rpm)
- .NET Assemblies (*.exe, *.dll)
- Java archive files (*.jar); Web application archive (*.war)
- JavaScript files
- NPM package specification files (package.json)
- Nuget packages.config file
- Nuget package specification file (*.nuspec)
- OpenSSL Version Source Header File (opensslv.h)
- Ruby Gemfile.lock files
- Autoconf project configuration files (configure, configure.in, configure.ac)
- CMake project files (CMakeLists.txt) and scripts (*.cmake)
- CocoaPods .podspec files
- PHP Composer Lock files (composer.lock)
- Perl cpanfile Lock files (composer.lock)
- Go.mod
- Gopkg.lock
- PE DLL and EXE
- Python source files (*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (*.whl, *.egg, *.zip)
- Python Pip requirements.txt files
- Ruby makefiles (Rakefile); Ruby Gemspec files (*.gemspec)
- SWIFT Package Manager's Package.swift
How Does Dependency Check Work?
Dependency check analyzes the source code, binaries, and packaging format to fetch the list of open-source libraries used in the software and create a list that includes the Entry Type, Library Name, Vendor, and version.
After fetching all these details dependency check creates the CPE (Common Platform Enumeration) and PURL (Package URL) of each Open-Source library.
CPE - is a standard method used in the National Vulnerability Database to describe and identify classes of applications, operating systems, and hardware devices
CPE Syntax - cpe:/[Entry Type]:[Vendor]:[Product]:[Version]:[Revision]:…
PURL - is a URL string used to identify and locate a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs, and databases.
PURL Syntax - scheme:type/namespace/name@version?qualifiers#subpath
After creating the CPE and PURL dependency check, use the CPE of each open-source library to identify the vulnerability in the National Vulnerability Database and use the PURL to identify the vulnerability in the SonaType OSS Index.
How to Install and use Dependency check
Installation
Download the .zip file from the Dependency check GitHub repository
https://github.com/jeremylong/DependencyCheck/
Command: wget https://github.com/jeremylong/DependencyCheck/releases/download/v7.3.0/dependency-check-7.3.0-release.zip
Unzip the archive
Command: unzip dependency-check-7.3.0-release.zip
Go to dependency-check/bin/ directory
Command: cd dependency-check/bin/
Download local copy of National Vulnerability Database
Command: ./dependency-check.sh --updateonly
Run Scan
Now we will see how to run Software Composition Analysis using Dependency check
For the demo purpose I am using OWASP Juice Shop.
For the demo purpose I am using OWASP Juice Shop.
Syntax: ./dependency-check.sh --project <Project Name> --scan <Path To Scan> --enableExperimental -o <The folder to write reports> -f <output format to write to (XML, HTML, CSV, JSON, JUNIT, SARIF, ALL)>
Example:
Command: ./dependency-check.sh --project demo_scan --scan /home/sahil/tools/juice-shop --enableExperimental -o /home/sahil/tools/demo_scan.html -f HTML
Command: ./dependency-check.sh --project demo_scan --scan /home/sahil/tools/juice-shop --enableExperimental -o /home/sahil/tools/demo_scan.html -f HTML
Once the scan is complete, we can check the report in the Output Path.
Tags:
SCA