2018-12-14
2020-06-13 更新
OWASP Dependency Check
https://www.owasp.org/index.php/OWASP_Dependency_Check
官方簡報
http://jeremylong.github.io/DependencyCheck/general/dependency-check.pptx
Dependency Check 是一種「軟件組成分析工具」 (Software Composition Analysis,SCA) ,它會檢查軟體組成,以及可能漏洞。它使用「通用平台枚舉」(Common Platform Enumeration,CPE)取得軟體組成相關資訊。如果找到,它將產生一個報告,提供「常見漏洞和披露」 Common Vulnerability and Exposure,CVE) 超連結。
OWASP Top 10 2013 有一項目:A9-使用具有已知漏洞的組件 (A9-Using Components with Known Vulnerabilities)。Dependency Check 可做此檢查。
注意,結果有可能誤判,此程式對 Java 程式比 .NET 程式合用,對 .NET程式可能誤判。
注意 Dependency Check 使用線上資料庫,所以必須連上 Internet 才行。
範例
執行情形
執行情形2
2020-06-13 補充
執行情形3
dependency-check.bat --project "'方案/專案名稱" --scan "bin目錄" --out "輸出檔案 or 輸出檔案目錄" |
範例
"D:\OWASP Dependency Check 4.0.0\dependency-check\bin\dependency-check.bat" --project "WebApplication1" --scan "D:\SourceCode\WebApplication1\WebApplication1\Bin" --out "D:\OWASP Dependency Check 4.0.0\Report\WebApplication1" |
執行情形
"D:\OWASP Dependency Check 4.0.0\dependency-check\bin\dependency-check.bat" --project "WebApplication1" --scan "D:\SourceCode\WebApplication1\WebApplication1\Bin" --out "D:\OWASP Dependency Check 4.0.0\Report\WebApplication1" [INFO] Checking for updates [INFO] starting getUpdatesNeeded() ... [INFO] NVD CVE requires several updates; this could take a couple of minutes. [INFO] Download Started for NVD CVE - 2005 [INFO] Download Started for NVD CVE - 2003 [INFO] Download Started for NVD CVE - 2004 [INFO] Download Started for NVD CVE - 2002 [INFO] Download Started for NVD CVE - 2006 [INFO] Download Started for NVD CVE - 2007 [INFO] Download Started for NVD CVE - 2008 [INFO] Download Started for NVD CVE - 2009 [INFO] Download Started for NVD CVE - 2011 [INFO] Download Started for NVD CVE - 2010 [INFO] Download Started for NVD CVE - 2012 [INFO] Download Started for NVD CVE - 2013 [INFO] Download Complete for NVD CVE - 2003 (5602 ms) [INFO] Download Started for NVD CVE - 2014 [INFO] Processing Started for NVD CVE - 2003 [INFO] Processing Complete for NVD CVE - 2003 (647 ms) [INFO] Download Complete for NVD CVE - 2002 (8014 ms) [INFO] Download Started for NVD CVE - 2015 [INFO] Processing Started for NVD CVE - 2002 [INFO] Processing Complete for NVD CVE - 2002 (747 ms) [INFO] Download Complete for NVD CVE - 2006 (9447 ms) [INFO] Download Started for NVD CVE - 2016 [INFO] Processing Started for NVD CVE - 2006 [INFO] Processing Complete for NVD CVE - 2006 (967 ms) [INFO] Download Complete for NVD CVE - 2009 (12238 ms) [INFO] Download Started for NVD CVE - 2017 [INFO] Processing Started for NVD CVE - 2009 [INFO] Download Complete for NVD CVE - 2014 (7844 ms) [INFO] Download Started for NVD CVE - 2018 [INFO] Processing Started for NVD CVE - 2014 [INFO] Processing Complete for NVD CVE - 2009 (1416 ms) [INFO] Download Complete for NVD CVE - 2005 (14632 ms) [INFO] Download Started for NVD CVE - Modified [INFO] Processing Started for NVD CVE - 2005 [INFO] Download Complete for NVD CVE - 2007 (14903 ms) [INFO] Processing Started for NVD CVE - 2007 [INFO] Download Complete for NVD CVE - 2004 (14953 ms) [INFO] Processing Started for NVD CVE - 2004 [INFO] Download Complete for NVD CVE - 2015 (7110 ms) [INFO] Processing Started for NVD CVE - 2015 [INFO] Download Complete for NVD CVE - 2008 (15947 ms) [INFO] Processing Started for NVD CVE - 2008 [INFO] Processing Complete for NVD CVE - 2004 (2250 ms) [INFO] Processing Complete for NVD CVE - 2005 (3067 ms) [INFO] Download Complete for NVD CVE - 2016 (8846 ms) [INFO] Processing Started for NVD CVE - 2016 [INFO] Processing Complete for NVD CVE - 2014 (5212 ms) [INFO] Processing Complete for NVD CVE - 2007 (4785 ms) [INFO] Processing Complete for NVD CVE - 2008 (4954 ms) [INFO] Download Complete for NVD CVE - Modified (6330 ms) [INFO] Processing Started for NVD CVE - Modified [INFO] Processing Complete for NVD CVE - 2015 (6093 ms) [INFO] Processing Complete for NVD CVE - Modified (1266 ms) [INFO] Processing Complete for NVD CVE - 2016 (4642 ms) [INFO] Download Complete for NVD CVE - 2013 (24832 ms) [INFO] Processing Started for NVD CVE - 2013 [INFO] Processing Complete for NVD CVE - 2013 (2465 ms) [INFO] Download Complete for NVD CVE - 2012 (32090 ms) [INFO] Processing Started for NVD CVE - 2012 [INFO] Processing Complete for NVD CVE - 2012 (2774 ms) [INFO] Download Complete for NVD CVE - 2010 (38692 ms) [INFO] Processing Started for NVD CVE - 2010 [INFO] Processing Complete for NVD CVE - 2010 (2540 ms) [INFO] Download Complete for NVD CVE - 2017 (41130 ms) [INFO] Processing Started for NVD CVE - 2017 [INFO] Processing Complete for NVD CVE - 2017 (9080 ms) [INFO] Download Complete for NVD CVE - 2018 (51838 ms) [INFO] Processing Started for NVD CVE - 2018 [INFO] Download Complete for NVD CVE - 2011 (68400 ms) [INFO] Processing Started for NVD CVE - 2011 [INFO] Processing Complete for NVD CVE - 2018 (7411 ms) [INFO] Processing Complete for NVD CVE - 2011 (11028 ms) [INFO] Begin database maintenance. [INFO] End database maintenance. [INFO] Check for updates complete (85145 ms) [INFO] Analysis Started [INFO] Finished File Name Analyzer (0 seconds) [INFO] Finished Assembly Analyzer (3 seconds) [INFO] Finished Dependency Merging Analyzer (0 seconds) [INFO] Finished Version Filter Analyzer (0 seconds) [INFO] Finished Hint Analyzer (0 seconds) [INFO] Created CPE Index (0 seconds) [INFO] Skipping CPE Analysis for npm [INFO] Finished CPE Analyzer (1 seconds) [INFO] Finished False Positive Analyzer (0 seconds) [INFO] Finished NVD CVE Analyzer (0 seconds) [INFO] Finished Vulnerability Suppression Analyzer (0 seconds) [INFO] Finished Dependency Bundling Analyzer (0 seconds) [INFO] Analysis Complete (4 seconds) C:\dependency-check\bin> |
執行情形2
"D:\OWASP Dependency Check 4.0.0\dependency-check\bin\dependency-check.bat" --project "WebApplication1" --scan "D:\SourceCode\WebApplication1\WebApplication1\Bin" --out "D:\OWASP Dependency Check 4.0.0\Report\WebApplication1" [INFO] Checking for updates [INFO] Skipping NVD check since last check was within 4 hours. [INFO] Skipping RetireJS update since last update was within 24 hours. [INFO] Check for updates complete (30 ms) [INFO] Analysis Started [INFO] Finished File Name Analyzer (0 seconds) [INFO] Finished Assembly Analyzer (1 seconds) [INFO] Finished Dependency Merging Analyzer (0 seconds) [INFO] Finished Version Filter Analyzer (0 seconds) [INFO] Finished Hint Analyzer (0 seconds) [INFO] Created CPE Index (0 seconds) [INFO] Skipping CPE Analysis for npm [INFO] Finished CPE Analyzer (1 seconds) [INFO] Finished False Positive Analyzer (0 seconds) [INFO] Finished NVD CVE Analyzer (0 seconds) [INFO] Finished Vulnerability Suppression Analyzer (0 seconds) [INFO] Finished Dependency Bundling Analyzer (0 seconds) [INFO] Analysis Complete (2 seconds) C:\dependency-check\bin> |
2020-06-13 補充
執行情形3
Dependency Check 有時候改版後,舊版線上資料庫不再提供,會產生類似下面錯誤,請去官方網站下載最新版使用,問題即可解決。
********************************************************************************
(完)
D:\dependency-check\bin>dependency-check.bat --project "test" --scan D:\CODE\Sample1\Sample1\bin --out C:\temp [INFO] Checking for updates [INFO] starting getUpdatesNeeded() ... [ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2018.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2018.xml.gz [ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2002.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2002.xml.gz [ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2008.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2008.xml.gz [ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2009.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2009.xml.gz [ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2007.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2007.xml.gz [ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2010.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2010.xml.gz [WARN] Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD. [INFO] If you are behind a proxy you may need to configure dependency-check to use the proxy. [WARN] Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities. [ERROR] No documents exist Unable to continue dependency-check analysis. [ERROR] One or more fatal errors occurred [ERROR] Unable to download the NVD CVE data. [ERROR] No documents exist D:\dependency-check\bin> |
********************************************************************************
| C:\dependency-check\bin>dependency-check.bat -v Dependency-Check Core version 4.0.0 C:\dependency-check\bin> |
| C:\dependency-check\bin>dependency-check.bat usage: Dependency-Check Core [--advancedHelp] [--cveValidForHours <hours>] [--enableExperimental] [--enableRetired] [--exclude <pattern>] [-f <format>] [--failOnCVSS <score>] [-h] [--hints <file>] [-l <file>] [-n] [-o <path>] [-P <file>] [--project <name>] [-s <path>] [--suppression <file>] [--symLink <depth>] [-v] Dependency-Check Core can be used to identify if there are any known CVE vulnerabilities in libraries utilized by an application. Dependency-Check Core will automatically update required data from the Internet, such as the CVE and CPE data files from nvd.nist.gov. --advancedHelp Print the advanced help message. --cveValidForHours <hours> The number of hours to wait before checking for new updates from the NVD. --enableExperimental Enables the experimental analyzers. --enableRetired Enables the retired analyzers. --exclude <pattern> Specify an exclusion pattern. This option can be specified multiple times and it accepts Ant style exclusions. -f,--format <format> The output format to write to (HTML, XML, CSV, JSON, VULN, or ALL). The default is HTML. --failOnCVSS <score> Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11; since the CVSS scores are 0-10, by default the build will never fail. -h,--help Print this message. --hints <file> The file path to the hints XML file. -l,--log <file> The file path to write verbose logging information. -n,--noupdate Disables the automatic updating of the CPE data. -o,--out <path> The folder to write reports to. This defaults to the current directory. It is possible to set this to a specific file name if the format argument is not set to ALL. -P,--propertyfile <file> A property file to load. --project <name> The name of the project being scanned. This is a required argument. -s,--scan <path> The path to scan - this option can be specified multiple times. Ant style paths are supported (e.g. path/**/*.jar). --suppression <file> The file path to the suppression XML file. This can be specified more then once to utilize multiple suppression files --symLink <depth> Sets how deep nested symbolic links will be followed; 0 indicates symbolic links will not be followed. -v,--version Print the version information. C:\dependency-check\bin>dependency-check.bat -v Dependency-Check Core version 4.0.0 C:\dependency-check\bin>cd bin |
(完)
沒有留言:
張貼留言