[研究] OWASP Dependency Check 6.2.2 元件依賴關係檢查工具

[研究] OWASP Dependency Check 6.2.2 元件依賴關係檢查工具

2021-08-11

OWASP Dependency Check
https://www.owasp.org/index.php/OWASP_Dependency_Check

官方簡報
http://jeremylong.github.io/DependencyCheck/general/dependency-check.pptx

Dependency Check 是一種「軟件組成分析工具」 (Software Composition Analysis，SCA) ，它會檢查軟體組成，以及可能漏洞。它使用「通用平台枚舉」（Common Platform Enumeration，CPE）取得軟體組成相關資訊。如果找到，它將產生一個報告，提供「常見漏洞和披露」 Common Vulnerability and Exposure，CVE) 超連結。

OWASP Top 10 2013 有一項目：A9-使用具有已知漏洞的組件 (A9-Using Components with Known Vulnerabilities)。Dependency Check 可做此檢查。

注意，結果有可能誤判，此程式對  Java 程式比 .NET 程式合用，對 .NET程式可能誤判。

執行需要 Java JRE，否則不能執行。

Microsoft Windows [版本 10.0.19043.1110] (c) Microsoft Corporation. 著作權所有，並保留一切權利。 C:\>C:\dependency-check\bin\dependency-check.bat --project "WebApplication1" --scan "C:\Code\WebApplication1\WebApplication1\bin" --out "C:\Temp" 'java' 不是內部或外部命令、可執行的程式或批次檔。 C:\>

敝人安裝 ( JAVA_HOME 可以不用勾選，預設也沒勾)

OpenJDK11U-jre_x64_windows_hotspot_11.0.11_9.msi

C:\>C:\dependency-check\bin\dependency-check.bat --v Dependency-Check Core version 6.2.2 C:\>

用法

注意 Dependency Check 使用線上資料庫，所以必須連上 Internet 才行。

dependency-check.bat --project "'方案/專案名稱" --scan "bin目錄"  --out  "輸出檔案 or 輸出檔案目錄"

掃描 .NET 方案，另外要安裝 .NET Core 3.1 SDK 

( 只安裝 .NET Core Runtime 3.1 不行，另外 .NET 5.0 和 .NET Framework 4.8 是另外的東西)

https://dotnet.microsoft.com/download

敝人掃描 使用 .NET Framework 4.8 的 WebForm  WebApplication 方案，

虛擬機 Windows 10 每次測試都還原快照，

實驗1：.NET Framework 4.8 Runtime 失敗 

實驗2：.NET Framework 4.8 Dev Pack 失敗

實驗3：.NET Core 3.1 Runtime 失敗

實驗4：.NET Core 3.1 SDK 成功

沒安裝 .NET Core 3.1 SDK  會有下面畫面

C:\>C:\dependency-check\bin\dependency-check.bat --project "WebApplication1" --scan "C:\Code\WebApplication1\WebApplication1\bin" --out "C:\Temp" [INFO] Checking for updates [INFO] Skipping NVD check since last check was within 4 hours. [INFO] Skipping RetireJS update since last update was within 24 hours. [INFO] Check for updates complete (250 ms) [INFO] Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report. About ODC: https://jeremylong.github.io/DependencyCheck/general/internals.html False Positives: https://jeremylong.github.io/DependencyCheck/general/suppression.html ? Sponsor: https://github.com/sponsors/jeremylong [INFO] Analysis Started [INFO] Finished File Name Analyzer (0 seconds) [ERROR] ---------------------------------------------------- [ERROR] .NET Assembly Analyzer could not be initialized and at least one 'exe' or 'dll' was scanned. The 'dotnet' executable could not be found on the path; either disable the Assembly Analyzer or add the path to dotnet core in the configuration. [ERROR] ---------------------------------------------------- [INFO] Finished Dependency Merging Analyzer (0 seconds) [INFO] Finished Version Filter Analyzer (0 seconds) [INFO] Finished Hint Analyzer (0 seconds) [INFO] Created CPE Index (2 seconds) [INFO] Finished CPE Analyzer (3 seconds) [INFO] Finished False Positive Analyzer (0 seconds) [INFO] Finished NVD CVE Analyzer (0 seconds) [WARN] Unable to determine Package-URL identifiers for 41 dependencies [INFO] Finished Sonatype OSS Index Analyzer (0 seconds) [INFO] Finished Vulnerability Suppression Analyzer (0 seconds) [INFO] Finished Dependency Bundling Analyzer (0 seconds) [INFO] Analysis Complete (3 seconds) [INFO] Writing report to: C:\Temp\dependency-check-report.html C:\>

成功掃描結果如下：

C:\>cd C:\dependency-check\bin C:\dependency-check\bin>dependency-check.bat --project "WebApplication1" --scan "C:\WebApplication1\WebApplication1\bin" --out "C:\Temp" [INFO] Checking for updates [INFO] NVD CVE requires several updates; this could take a couple of minutes. [INFO] Download Started for NVD CVE - 2003 [INFO] Download Started for NVD CVE - 2002 [INFO] Download Complete for NVD CVE - 2003 (1637 ms) [INFO] Download Started for NVD CVE - 2004 [INFO] Processing Started for NVD CVE - 2003 [INFO] Download Complete for NVD CVE - 2002 (2234 ms) [INFO] Download Started for NVD CVE - 2005 [INFO] Processing Started for NVD CVE - 2002 [INFO] Processing Complete for NVD CVE - 2003 (1673 ms) [INFO] Processing Complete for NVD CVE - 2002 (3447 ms) [INFO] Download Complete for NVD CVE - 2004 (5371 ms) [INFO] Download Started for NVD CVE - 2006 [INFO] Processing Started for NVD CVE - 2004 [INFO] Processing Complete for NVD CVE - 2004 (2557 ms) [INFO] Download Complete for NVD CVE - 2005 (13303 ms) [INFO] Download Started for NVD CVE - 2007 [INFO] Processing Started for NVD CVE - 2005 [INFO] Download Complete for NVD CVE - 2006 (9562 ms) [INFO] Download Started for NVD CVE - 2008 [INFO] Processing Started for NVD CVE - 2006 [INFO] Download Complete for NVD CVE - 2007 (2447 ms) [INFO] Download Started for NVD CVE - 2009 [INFO] Processing Started for NVD CVE - 2007 [INFO] Processing Complete for NVD CVE - 2005 (5133 ms) [INFO] Download Complete for NVD CVE - 2009 (3252 ms) [INFO] Download Started for NVD CVE - 2010 [INFO] Processing Started for NVD CVE - 2009 [INFO] Download Complete for NVD CVE - 2008 (7546 ms) [INFO] Download Started for NVD CVE - 2011 [INFO] Processing Started for NVD CVE - 2008 [INFO] Download Complete for NVD CVE - 2010 (2988 ms) [INFO] Download Started for NVD CVE - 2012 [INFO] Processing Started for NVD CVE - 2010 [INFO] Processing Complete for NVD CVE - 2006 (9601 ms) [INFO] Download Complete for NVD CVE - 2012 (2472 ms) [INFO] Download Started for NVD CVE - 2013 [INFO] Processing Started for NVD CVE - 2012 [INFO] Download Complete for NVD CVE - 2011 (3095 ms) [INFO] Download Started for NVD CVE - 2014 [INFO] Processing Started for NVD CVE - 2011 [INFO] Processing Complete for NVD CVE - 2007 (10145 ms) [INFO] Download Complete for NVD CVE - 2013 (2599 ms) [INFO] Download Started for NVD CVE - 2015 [INFO] Processing Started for NVD CVE - 2013 [INFO] Download Complete for NVD CVE - 2014 (2599 ms) [INFO] Download Started for NVD CVE - 2016 [INFO] Processing Started for NVD CVE - 2014 [INFO] Download Complete for NVD CVE - 2015 (2683 ms) [INFO] Processing Started for NVD CVE - 2015 [INFO] Download Started for NVD CVE - 2017 [INFO] Download Complete for NVD CVE - 2016 (3402 ms) [INFO] Processing Started for NVD CVE - 2016 [INFO] Download Started for NVD CVE - 2018 [INFO] Download Complete for NVD CVE - 2017 (4516 ms) [INFO] Processing Started for NVD CVE - 2017 [INFO] Download Started for NVD CVE - 2019 [INFO] Download Complete for NVD CVE - 2018 (4226 ms) [INFO] Processing Started for NVD CVE - 2018 [INFO] Download Started for NVD CVE - 2020 [INFO] Download Complete for NVD CVE - 2019 (3122 ms) [INFO] Processing Started for NVD CVE - 2019 [INFO] Download Started for NVD CVE - 2021 [INFO] Processing Complete for NVD CVE - 2009 (25004 ms) [INFO] Download Complete for NVD CVE - 2020 (18381 ms) [INFO] Processing Started for NVD CVE - 2020 [INFO] Processing Complete for NVD CVE - 2008 (33324 ms) [INFO] Download Complete for NVD CVE - 2021 (19030 ms) [INFO] Processing Started for NVD CVE - 2021 [INFO] Processing Complete for NVD CVE - 2010 (37242 ms) [INFO] Processing Complete for NVD CVE - 2015 (41766 ms) [INFO] Processing Complete for NVD CVE - 2011 (48061 ms) [INFO] Processing Complete for NVD CVE - 2014 (46927 ms) [INFO] Processing Complete for NVD CVE - 2016 (47451 ms) [INFO] Processing Complete for NVD CVE - 2012 (54617 ms) [INFO] Processing Complete for NVD CVE - 2021 (23563 ms) [INFO] Processing Complete for NVD CVE - 2019 (45071 ms) [INFO] Processing Complete for NVD CVE - 2018 (47689 ms) [INFO] Processing Complete for NVD CVE - 2013 (55981 ms) [INFO] Processing Complete for NVD CVE - 2017 (49491 ms) [INFO] Processing Complete for NVD CVE - 2020 (32336 ms) [INFO] Download Started for NVD CVE - Modified [INFO] Download Complete for NVD CVE - Modified (2267 ms) [INFO] Processing Started for NVD CVE - Modified [INFO] Processing Complete for NVD CVE - Modified (1786 ms) [INFO] Begin database maintenance [INFO] Updated the CPE ecosystem on 117835 NVD records [INFO] Removed the CPE ecosystem on 3827 NVD records [INFO] End database maintenance (31425 ms) [INFO] Begin database defrag [INFO] End database defrag (4704 ms) [INFO] Check for updates complete (147407 ms) [INFO] Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report. About ODC: https://jeremylong.github.io/DependencyCheck/general/internals.html False Positives: https://jeremylong.github.io/DependencyCheck/general/suppression.html ? Sponsor: https://github.com/sponsors/jeremylong [INFO] Analysis Started [INFO] Finished File Name Analyzer (0 seconds) [INFO] Finished Assembly Analyzer (1 seconds) [INFO] Finished Dependency Merging Analyzer (0 seconds) [INFO] Finished Version Filter Analyzer (0 seconds) [INFO] Finished Hint Analyzer (0 seconds) [INFO] Created CPE Index (1 seconds) [INFO] Finished CPE Analyzer (1 seconds) [INFO] Finished False Positive Analyzer (0 seconds) [INFO] Finished NVD CVE Analyzer (0 seconds) [INFO] Finished Sonatype OSS Index Analyzer (1 seconds) [INFO] Finished Vulnerability Suppression Analyzer (0 seconds) [INFO] Finished Dependency Bundling Analyzer (0 seconds) [INFO] Analysis Complete (4 seconds) [INFO] Writing report to: C:\Temnp\dependency-check-report.html C:\TEMP\dependency-check\bin>

掃描 Java 專案，可能也另外要安裝 Java SDK 。（敝人沒測)

另外，明明是 .NET Framework 4.8 的方案，結果仍需要 .NET Core 3.1 SDK 才能分析，也不需要 .NET Framework 4.8 SDK ( Dev Pack )，結果有點令人懷疑 (有空再研究)。

(完)

相關

[研究] OWASP Dependency Check 4.0.0 元件依賴關係檢查
http://shaurong.blogspot.com/2018/12/owasp-dependency-check-400.html