Automatic scan for known vulnerabilities in dependencies

When using third-party components (be it open source or not), we all know it’s a good practice to keep your frameworks and libraries up to date. This is also one of the spearhead in the OWASP Top 10 (2013 edition): A9 - Using Components with Known Vulnerabilities. To help you assess your projects status with regard to this, OWASP.org developed the tool Dependency Check. This tool is primarily intended code bases in Java, .NET, Ruby, Node.js, and Python. Integration with various build tools is also provided for.

Basics

The most simple way to use the tool is the command line. When you run the tool from the projects top-level directory, it will attempt to discover and check all dependencies:

dependency-check -s . --project "Name of my project"

This will give an HTML-file (dependency-check-report.html) with an overview of all detected dependencies including known vulnerabilities.

Integrate with Maven

You can also integrate the tool into your Maven buildproces using the Maven plugin. Let’s say we want to report in XML-format (which can be fed into SonarQube if it has the Dependency-Check Plugin for SonarQube installed). Additionally, we also want the build to break if a vulnerability is discovered with CVSS score of 8 or higher. We would then add the following to our POM:

<build>
  <plugins>
    <plugin>
      <groupId>org.owasp</groupId>
      <artifactId>dependency-check-maven</artifactId>
      <version>1.4.5</version>
      <executions>
        <execution>
          <phase>verify</phase>
          <goals>
            <goal>check</goal>
            <goal>aggregate</goal>
          </goals>
          <configuration>
            <format>XML</format>
            <failBuildOnCVSS>8</failBuildOnCVSS>
          </configuration>
        </execution>
      </executions>
    </plugin>
  </plugins>
</build>

Next time your build is ran up to or including the verify phase, the plugin will download a database of known vulnerabilities. It will then attempt to match your projects dependencies against that database and report the outcomes. Subsequent builds will attempt to only download updated databases, so the inital run may be exceptionally long.

Integrate with Gradle

There’s also a Gradle-plugin available. Add it to your build.gradle like so:

buildscript {
  repositories {
    mavenCentral()
  }
  dependencies {
    classpath 'org.owasp:dependency-check-gradle:1.3.3'
  }
}

apply plugin: 'org.owasp.dependencycheck'

Then invoke its Gradle task using gradle dependencyCheck --info.