2018年12月14日 星期五

[研究] OWASP Dependency Check 4.0.0

[研究] OWASP Dependency Check 4.0.0 元件依賴關係檢查

2018-12-14
2020-06-13 更新

OWASP Dependency Check
https://www.owasp.org/index.php/OWASP_Dependency_Check

官方簡報
http://jeremylong.github.io/DependencyCheck/general/dependency-check.pptx


Dependency Check 是一種「軟件組成分析工具」 (Software Composition Analysis,SCA) ,它會檢查軟體組成,以及可能漏洞。它使用「通用平台枚舉」(Common Platform Enumeration,CPE)取得軟體組成相關資訊。如果找到,它將產生一個報告,提供「常見漏洞和披露」 Common Vulnerability and Exposure,CVE) 超連結。

OWASP Top 10 2013 有一項目:A9-使用具有已知漏洞的組件 (A9-Using Components with Known Vulnerabilities)。Dependency Check 可做此檢查。

注意,結果有可能誤判,此程式對  Java 程式比 .NET 程式合用,對 .NET程式可能誤判。

用法
注意 Dependency Check 使用線上資料庫,所以必須連上 Internet 才行。

dependency-check.bat --project "'方案/專案名稱" --scan "bin目錄"  --out  "輸出檔案 or 輸出檔案目錄"


範例

"D:\OWASP Dependency Check 4.0.0\dependency-check\bin\dependency-check.bat" --project "WebApplication1" --scan "D:\SourceCode\WebApplication1\WebApplication1\Bin" --out "D:\OWASP Dependency Check 4.0.0\Report\WebApplication1"


執行情形

"D:\OWASP Dependency Check 4.0.0\dependency-check\bin\dependency-check.bat" --project "WebApplication1" --scan "D:\SourceCode\WebApplication1\WebApplication1\Bin" --out "D:\OWASP Dependency Check 4.0.0\Report\WebApplication1"

[INFO] Checking for updates
[INFO] starting getUpdatesNeeded() ...
[INFO] NVD CVE requires several updates; this could take a couple of minutes.
[INFO] Download Started for NVD CVE - 2005
[INFO] Download Started for NVD CVE - 2003
[INFO] Download Started for NVD CVE - 2004
[INFO] Download Started for NVD CVE - 2002
[INFO] Download Started for NVD CVE - 2006
[INFO] Download Started for NVD CVE - 2007
[INFO] Download Started for NVD CVE - 2008
[INFO] Download Started for NVD CVE - 2009
[INFO] Download Started for NVD CVE - 2011
[INFO] Download Started for NVD CVE - 2010
[INFO] Download Started for NVD CVE - 2012
[INFO] Download Started for NVD CVE - 2013
[INFO] Download Complete for NVD CVE - 2003  (5602 ms)
[INFO] Download Started for NVD CVE - 2014
[INFO] Processing Started for NVD CVE - 2003
[INFO] Processing Complete for NVD CVE - 2003  (647 ms)
[INFO] Download Complete for NVD CVE - 2002  (8014 ms)
[INFO] Download Started for NVD CVE - 2015
[INFO] Processing Started for NVD CVE - 2002
[INFO] Processing Complete for NVD CVE - 2002  (747 ms)
[INFO] Download Complete for NVD CVE - 2006  (9447 ms)
[INFO] Download Started for NVD CVE - 2016
[INFO] Processing Started for NVD CVE - 2006
[INFO] Processing Complete for NVD CVE - 2006  (967 ms)
[INFO] Download Complete for NVD CVE - 2009  (12238 ms)
[INFO] Download Started for NVD CVE - 2017
[INFO] Processing Started for NVD CVE - 2009
[INFO] Download Complete for NVD CVE - 2014  (7844 ms)
[INFO] Download Started for NVD CVE - 2018
[INFO] Processing Started for NVD CVE - 2014
[INFO] Processing Complete for NVD CVE - 2009  (1416 ms)
[INFO] Download Complete for NVD CVE - 2005  (14632 ms)
[INFO] Download Started for NVD CVE - Modified
[INFO] Processing Started for NVD CVE - 2005
[INFO] Download Complete for NVD CVE - 2007  (14903 ms)
[INFO] Processing Started for NVD CVE - 2007
[INFO] Download Complete for NVD CVE - 2004  (14953 ms)
[INFO] Processing Started for NVD CVE - 2004
[INFO] Download Complete for NVD CVE - 2015  (7110 ms)
[INFO] Processing Started for NVD CVE - 2015
[INFO] Download Complete for NVD CVE - 2008  (15947 ms)
[INFO] Processing Started for NVD CVE - 2008
[INFO] Processing Complete for NVD CVE - 2004  (2250 ms)
[INFO] Processing Complete for NVD CVE - 2005  (3067 ms)
[INFO] Download Complete for NVD CVE - 2016  (8846 ms)
[INFO] Processing Started for NVD CVE - 2016
[INFO] Processing Complete for NVD CVE - 2014  (5212 ms)
[INFO] Processing Complete for NVD CVE - 2007  (4785 ms)
[INFO] Processing Complete for NVD CVE - 2008  (4954 ms)
[INFO] Download Complete for NVD CVE - Modified  (6330 ms)
[INFO] Processing Started for NVD CVE - Modified
[INFO] Processing Complete for NVD CVE - 2015  (6093 ms)
[INFO] Processing Complete for NVD CVE - Modified  (1266 ms)
[INFO] Processing Complete for NVD CVE - 2016  (4642 ms)
[INFO] Download Complete for NVD CVE - 2013  (24832 ms)
[INFO] Processing Started for NVD CVE - 2013
[INFO] Processing Complete for NVD CVE - 2013  (2465 ms)
[INFO] Download Complete for NVD CVE - 2012  (32090 ms)
[INFO] Processing Started for NVD CVE - 2012
[INFO] Processing Complete for NVD CVE - 2012  (2774 ms)
[INFO] Download Complete for NVD CVE - 2010  (38692 ms)
[INFO] Processing Started for NVD CVE - 2010
[INFO] Processing Complete for NVD CVE - 2010  (2540 ms)
[INFO] Download Complete for NVD CVE - 2017  (41130 ms)
[INFO] Processing Started for NVD CVE - 2017
[INFO] Processing Complete for NVD CVE - 2017  (9080 ms)
[INFO] Download Complete for NVD CVE - 2018  (51838 ms)
[INFO] Processing Started for NVD CVE - 2018
[INFO] Download Complete for NVD CVE - 2011  (68400 ms)
[INFO] Processing Started for NVD CVE - 2011
[INFO] Processing Complete for NVD CVE - 2018  (7411 ms)
[INFO] Processing Complete for NVD CVE - 2011  (11028 ms)
[INFO] Begin database maintenance.
[INFO] End database maintenance.
[INFO] Check for updates complete (85145 ms)
[INFO] Analysis Started
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Assembly Analyzer (3 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (0 seconds)
[INFO] Skipping CPE Analysis for npm
[INFO] Finished CPE Analyzer (1 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (4 seconds)

C:\dependency-check\bin>


執行情形2

"D:\OWASP Dependency Check 4.0.0\dependency-check\bin\dependency-check.bat" --project "WebApplication1" --scan "D:\SourceCode\WebApplication1\WebApplication1\Bin" --out "D:\OWASP Dependency Check 4.0.0\Report\WebApplication1"

[INFO] Checking for updates
[INFO] Skipping NVD check since last check was within 4 hours.
[INFO] Skipping RetireJS update since last update was within 24 hours.
[INFO] Check for updates complete (30 ms)
[INFO] Analysis Started
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Assembly Analyzer (1 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (0 seconds)
[INFO] Skipping CPE Analysis for npm
[INFO] Finished CPE Analyzer (1 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (2 seconds)

C:\dependency-check\bin>


2020-06-13 補充
執行情形3
Dependency Check 有時候改版後,舊版線上資料庫不再提供,會產生類似下面錯誤,請去官方網站下載最新版使用,問題即可解決。

D:\dependency-check\bin>dependency-check.bat --project "test" --scan D:\CODE\Sample1\Sample1\bin --out C:\temp
[INFO] Checking for updates
[INFO] starting getUpdatesNeeded() ...
[ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2018.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2018.xml.gz
[ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2002.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2002.xml.gz
[ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2008.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2008.xml.gz
[ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2009.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2009.xml.gz
[ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2007.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2007.xml.gz
[ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2010.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2010.xml.gz
[WARN] Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD.
[INFO] If you are behind a proxy you may need to configure dependency-check to use the proxy.
[WARN] Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
[ERROR] No documents exist

Unable to continue dependency-check analysis.
[ERROR] One or more fatal errors occurred
[ERROR] Unable to download the NVD CVE data.
[ERROR] No documents exist

D:\dependency-check\bin>



********************************************************************************



C:\dependency-check\bin>dependency-check.bat  -v
Dependency-Check Core version 4.0.0

C:\dependency-check\bin>




C:\dependency-check\bin>dependency-check.bat
usage: Dependency-Check Core [--advancedHelp] [--cveValidForHours <hours>]
       [--enableExperimental] [--enableRetired] [--exclude <pattern>] [-f
       <format>] [--failOnCVSS <score>] [-h] [--hints <file>] [-l <file>]
       [-n] [-o <path>] [-P <file>] [--project <name>] [-s <path>]
       [--suppression <file>] [--symLink <depth>] [-v]

Dependency-Check Core can be used to identify if there are any known CVE
vulnerabilities in libraries utilized by an application. Dependency-Check
Core will automatically update required data from the Internet, such as
the CVE and CPE data files from nvd.nist.gov.

    --advancedHelp               Print the advanced help message.
    --cveValidForHours <hours>   The number of hours to wait before
                                 checking for new updates from the NVD.
    --enableExperimental         Enables the experimental analyzers.
    --enableRetired              Enables the retired analyzers.
    --exclude <pattern>          Specify an exclusion pattern. This option
                                 can be specified multiple times and it
                                 accepts Ant style exclusions.
 -f,--format <format>            The output format to write to (HTML, XML,
                                 CSV, JSON, VULN, or ALL). The default is
                                 HTML.
    --failOnCVSS <score>         Specifies if the build should be failed
                                 if a CVSS score above a specified level
                                 is identified. The default is 11; since
                                 the CVSS scores are 0-10, by default the
                                 build will never fail.
 -h,--help                       Print this message.
    --hints <file>               The file path to the hints XML file.
 -l,--log <file>                 The file path to write verbose logging
                                 information.
 -n,--noupdate                   Disables the automatic updating of the
                                 CPE data.
 -o,--out <path>                 The folder to write reports to. This
                                 defaults to the current directory. It is
                                 possible to set this to a specific file
                                 name if the format argument is not set to
                                 ALL.
 -P,--propertyfile <file>        A property file to load.
    --project <name>             The name of the project being scanned.
                                 This is a required argument.
 -s,--scan <path>                The path to scan - this option can be
                                 specified multiple times. Ant style paths
                                 are supported (e.g. path/**/*.jar).
    --suppression <file>         The file path to the suppression XML
                                 file. This can be specified more then
                                 once to utilize multiple suppression
                                 files
    --symLink <depth>            Sets how deep nested symbolic links will
                                 be followed; 0 indicates symbolic links
                                 will not be followed.
 -v,--version                    Print the version information.

C:\dependency-check\bin>dependency-check.bat -v
Dependency-Check Core version 4.0.0

C:\dependency-check\bin>cd bin

(完)

沒有留言:

張貼留言