If you run the tool at least once every seven days, only a small JSON file needs to be downloaded to keep the local copy of the data current.Build and Deploy Hybrid Applications with SAP Solution Managerīuild and Deploy SAPUI5/SAP Fiori Applications on SAP BTPīuild and Deploy SAP Cloud Application Programming Model Applications ‘'’IMPORTANT NOTE:’’’ The initial download of the data may take ten minutes or more. Other 3rd party services and data sources such as the NPM Audit API, the OSS Index, RetireJS, and Bundler Audit are utilized for specific technologies.ĭependency-check automatically updates itself using the NVD Data Feeds hosted by NIST. If a CPE is identified, a listing of associated Common Vulnerability and Exposure (CVE) entries are listed in a report. The evidence is then used to identify the Common Platform Enumeration (CPE) for the given dependency. The core engine contains a series of analyzers that inspect the project dependencies, collect pieces of information about the dependencies (referred to as evidence within the tool).
The gist of the paper is that we as a development community include third party libraries in our applications that contain well known published vulnerabilities (such as those at the National Vulnerability Database).ĭependency-check has a command line interface, a Maven plugin, an Ant task, and a Jenkins plugin. The problem with using known vulnerable components was described very well in a paper by Jeff Williams and Arshan Dabirsiaghi titled, “ Unfortunate Reality of Insecure Libraries”. Dependency Check can currently be used to scan applications (and their dependent libraries) to identify any known vulnerable components. The OWASP contains a new entry: A9-Using Components with Known Vulnerabilities.
If found, it will generate a report linking to the associated CVE entries. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies.
0 kommentar(er)
