The core engine contains a series of analyzers that inspect the project dependencies, collect pieces of information about the dependencies (referred to as evidence within the tool). ![]() ![]() The gist of the paper is that we as a development community include third party libraries in our applications that contain well known published vulnerabilities (such as those at the National Vulnerability Database).ĭependency-check has a command line interface, a Maven plugin, an Ant task, and a Jenkins plugin. The problem with using known vulnerable components was described very well in a paper by Jeff Williams and Arshan Dabirsiaghi titled, “ Unfortunate Reality of Insecure Libraries”. Dependency Check can currently be used to scan applications (and their dependent libraries) to identify any known vulnerable components. The OWASP contains a new entry: A9-Using Components with Known Vulnerabilities. If found, it will generate a report linking to the associated CVE entries. ![]() It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. ![]() Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |