[研究] OWASP Dependency Check 12.1.0元件依賴關係檢查工具(失敗)
2025-04-17
OWASP Dependency Check
https://www.owasp.org/index.php/OWASP_Dependency_Check
官方簡報
http://jeremylong.github.io/DependencyCheck/general/dependency-check.pptx
https://github.com/dependency-check/DependencyCheck/releases/download/v12.1.0/dependency-check-12.1.0-release.zip
Dependency Check 是一種「軟件組成分析工具」 (Software Composition Analysis,SCA) ,它會檢查軟體組成,以及可能漏洞。它使用「通用平台枚舉」(Common Platform Enumeration,CPE)取得軟體組成相關資訊。如果找到,它將產生一個報告,提供「常見漏洞和披露」 Common Vulnerability and Exposure,CVE) 超連結。
注意,結果有可能誤判,此程式對 Java 程式比 .NET 程式合用,對 .NET程式可能誤判。
執行需要 Java JRE,否則不能執行。
下載 OpenJDK Microsoft組建
C:\>C:\dependency-check\bin\dependency-check.bat --project "WebApplication1" --scan "C:\Code\WebApplication1\WebApplication1\bin" --out "C:\Temp" 'java' 不是內部或外部命令、可執行的程式或批次檔。 C:\> |
敝人安裝 ( JAVA_HOME 可以不用勾選,預設也沒勾)
注意,Java安裝後,要開啟新的「命令提示字元」才能用
C:\>java --version openjdk 17.0.13 2024-10-15 LTS OpenJDK Runtime Environment Microsoft-10376486 (build 17.0.13+11-LTS) OpenJDK 64-Bit Server VM Microsoft-10376486 (build 17.0.13+11-LTS, mixed mode, sharing) C:\> |
C:\dependency-check\bin>dependency-check.bat -v Dependency-Check Core version 12.1.0 C:\dependency-check\bin>dependency-check.bat usage: Dependency-Check Core [--advancedHelp] [--disableVersionCheck] [--enableExperimental] [--exclude <pattern>] [-f <format>] [--failOnCVSS <score>] [-h] [--junitFailOnCVSS <score>] [-l <file>] [-n] [--nvdApiKey <apiKey>] [-o <path>] [--prettyPrint] [--project <name>] [-s <path>] [--suppression <file>] [-v] Dependency-Check Core can be used to identify if there are any known CVE vulnerabilities in libraries utilized by an application. Dependency-Check Core will automatically update required data from the Internet, such as the CVE and CPE data files from nvd.nist.gov. --advancedHelp Print the advanced help message. --disableVersionCheck Disables the dependency-check version check --enableExperimental Enables the experimental analyzers. --exclude <pattern> Specify an exclusion pattern. This option can be specified multiple times and it accepts Ant style exclusions. -f,--format <format> The report format (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB or ALL). The default is HTML. Multiple format parameters can be specified. --failOnCVSS <score> Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11; since the CVSS scores are 0-10, by default the build will never fail. -h,--help Print this message. --junitFailOnCVSS <score> Specifies the CVSS score that is considered a failure when generating the junit report. The default is 0. -l,--log <file> The file path to write verbose logging information. -n,--noupdate Disables the automatic updating of the NVD-CVE, hosted-suppressions and RetireJS data. --nvdApiKey <apiKey> The API Key to access the NVD API. -o,--out <path> The folder to write reports to. This defaults to the current directory. It is possible to set this to a specific file name if the format argument is not set to ALL. --prettyPrint When specified the JSON and XML report formats will be pretty printed. --project <name> The name of the project being scanned. -s,--scan <path> The path to scan - this option can be specified multiple times. Ant style paths are supported (e.g. 'path/**/*.jar'); if using Ant style paths it is highly recommended to quote the argument value. --suppression <file> The file path to the suppression XML file. This can be specified more then once to utilize multiple suppression files -v,--version Print the version information. C:\dependency-check\bin> |
注意 Dependency Check 使用線上資料庫,所以必須連上 Internet 才行。
dependency-check.bat --project "'方案/專案名稱" --scan "bin目錄" --out "輸出檔案 or 輸出檔案目錄" |
【測試】
WebApplication1 方案是敝人另外用 Visual Studio 2019建立的。
非常慢,隔了一陣子出現 Downloaded 訊息
C:\dependency-check\bin>dependency-check.bat --project "WebApplication1" --scan "C:\Code\WebApplication1\WebApplication1\bin" --out "C:\Temp"
[INFO] Checking for updates
[WARN] An NVD API Key was not provided - it is highly recommended to use an NVD API key as the update can take a VERY long time without an API Key
[INFO] NVD API has 289,264 records in this update
[INFO] Downloaded 10,000/289,264 (3%)
[INFO] Downloaded 20,000/289,264 (7%)
[INFO] Downloaded 30,000/289,264 (10%)
[INFO] Downloaded 40,000/289,264 (14%)
...(略)
[ERROR] Failed to process CVE-2011-3380
java.lang.NullPointerException: Cannot invoke "org.apache.commons.dbcp2.BasicDataSource.getConnection()" because "this.connectionPool" is null
at org.owasp.dependencycheck.data.nvdcve.DatabaseManager.getConnection(DatabaseManager.java:576)
at org.owasp.dependencycheck.data.nvdcve.CveDB.updateOrInsertVulnerability(CveDB.java:1173)
at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability(CveDB.java:1098)
at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.updateCveDb(NvdApiProcessor.java:119)
at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.call(NvdApiProcessor.java:96)
at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.call(NvdApiProcessor.java:40)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:840)
[ERROR] Failed to process CVE-2011-3627
java.lang.NullPointerException: Cannot invoke "org.apache.commons.dbcp2.BasicDataSource.getConnection()" because "this.connectionPool" is null
at org.owasp.dependencycheck.data.nvdcve.DatabaseManager.getConnection(DatabaseManager.java:576)
at org.owasp.dependencycheck.data.nvdcve.CveDB.updateOrInsertVulnerability(CveDB.java:1173)
at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability(CveDB.java:1098)
at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.updateCveDb(NvdApiProcessor.java:119)
at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.call(NvdApiProcessor.java:96)
at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.call(NvdApiProcessor.java:40)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:840)
C:\dependency-check\bin>
|
【加上 NVD API Key 測試】
非常慢,隔了一陣子出現 Downloaded 訊息
C:\>C:\dependency-check\bin\dependency-check.bat --project "WebApplication1" --scan "C:\Code\WebApplication1\WebApplication1\bin" --out "C:\Temp" --nvdApiKey 申請得到的Key
[INFO] Checking for updates
[INFO] NVD API has 289,459 records in this update
[INFO] Downloaded 10,000/289,459 (3%)
[INFO] Downloaded 20,000/289,459 (7%)
[INFO] Downloaded 30,000/289,459 (10%)
[INFO] Downloaded 40,000/289,459 (14%)
[INFO] Downloaded 50,000/289,459 (17%)
[INFO] Downloaded 60,000/289,459 (21%)
[INFO] Downloaded 70,000/289,459 (24%)
[INFO] Downloaded 80,000/289,459 (28%)
[INFO] Downloaded 90,000/289,459 (31%)
[INFO] Downloaded 100,000/289,459 (35%)
[INFO] Downloaded 110,000/289,459 (38%)
[INFO] Downloaded 120,000/289,459 (41%)
[INFO] Downloaded 130,000/289,459 (45%)
[INFO] Downloaded 140,000/289,459 (48%)
[INFO] Downloaded 150,000/289,459 (52%)
[INFO] Downloaded 160,000/289,459 (55%)
[INFO] Downloaded 170,000/289,459 (59%)
[INFO] Downloaded 180,000/289,459 (62%)
[INFO] Downloaded 190,000/289,459 (66%)
[INFO] Downloaded 200,000/289,459 (69%)
[INFO] Downloaded 210,000/289,459 (73%)
[INFO] Downloaded 220,000/289,459 (76%)
[INFO] Downloaded 230,000/289,459 (79%)
[INFO] Downloaded 240,000/289,459 (83%)
[INFO] Downloaded 250,000/289,459 (86%)
|
測試2次,隔天看進度卡死停到 Download,暫時放棄、、、
(待續)
相關
[研究] OWASP Dependency-Check 9.0.6 元件依賴關係檢查工具
https://shaurong.blogspot.com/2023/12/owasp-dependency-check-906.html
[研究] OWASP Dependency Check 6.2.2 元件依賴關係檢查工具https://shaurong.blogspot.com/2021/08/owasp-dependency-check-622.html
[研究] OWASP Dependency Check 4.0.0 元件依賴關係檢查http://shaurong.blogspot.com/2018/12/owasp-dependency-check-400.html
沒有留言:
張貼留言