浮雲雅築: [研究] OWASP Dependency-Check 9.0.6 元件依賴關係檢查工具

[研究] OWASP Dependency Check 9.0.6 元件依賴關係檢查工具

2023-12-18

OWASP Dependency Check
https://www.owasp.org/index.php/OWASP_Dependency_Check

官方簡報
http://jeremylong.github.io/DependencyCheck/general/dependency-check.pptx

dependency-check-9.0.6-release.zip 於 2023-12-15 釋出。

Dependency Check 是一種「軟件組成分析工具」 (Software Composition Analysis，SCA) ，它會檢查軟體組成，以及可能漏洞。它使用「通用平台枚舉」（Common Platform Enumeration，CPE）取得軟體組成相關資訊。如果找到，它將產生一個報告，提供「常見漏洞和披露」 Common Vulnerability and Exposure，CVE) 超連結。

注意，結果有可能誤判，此程式對 Java 程式比 .NET 程式合用，對 .NET程式可能誤判。

執行需要 Java JRE，否則不能執行。

Microsoft Windows [版本 10.0.19043.1110]
(c) Microsoft Corporation. 著作權所有，並保留一切權利。

C:\>C:\dependency-check\bin\dependency-check.bat --project "WebApplication1" --scan "C:\Code\WebApplication1\WebApplication1\bin" --out "C:\Temp"
'java' 不是內部或外部命令、可執行的程式或批次檔。

C:\>

敝人安裝 ( JAVA_HOME 可以不用勾選，預設也沒勾)

C:\dependency-check\bin>java --version
openjdk 17.0.3 2022-04-19 LTS
OpenJDK Runtime Environment Microsoft-32931 (build 17.0.3+7-LTS)
OpenJDK 64-Bit Server VM Microsoft-32931 (build 17.0.3+7-LTS, mixed mode, sharing)

C:\dependency-check\bin>

C:\dependency-check\bin>dependency-check.bat -v
Dependency-Check Core version 9.0.6

C:\dependency-check\bin>dependency-check.bat
usage: Dependency-Check Core [--advancedHelp] [--enableExperimental]
       [--exclude <pattern>] [-f <format>] [--failOnCVSS <score>] [-h]
       [--junitFailOnCVSS <score>] [-l <file>] [-n] [--nvdApiKey <apiKey>]
       [-o <path>] [--prettyPrint] [--project <name>] [-s <path>]
       [--suppression <file>] [-v]

Dependency-Check Core can be used to identify if there are any known CVE
vulnerabilities in libraries utilized by an application. Dependency-Check
Core will automatically update required data from the Internet, such as
the CVE and CPE data files from nvd.nist.gov.

    --advancedHelp              Print the advanced help message.
    --enableExperimental        Enables the experimental analyzers.
    --exclude <pattern>         Specify an exclusion pattern. This option
                                can be specified multiple times and it
                                accepts Ant style exclusions.
 -f,--format <format>           The report format (HTML, XML, CSV, JSON,
                                JUNIT, SARIF, JENKINS, GITLAB or ALL). The
                                default is HTML. Multiple format
                                parameters can be specified.
    --failOnCVSS <score>        Specifies if the build should be failed if
                                a CVSS score above a specified level is
                                identified. The default is 11; since the
                                CVSS scores are 0-10, by default the build
                                will never fail.
 -h,--help                      Print this message.
    --junitFailOnCVSS <score>   Specifies the CVSS score that is
                                considered a failure when generating the
                                junit report. The default is 0.
 -l,--log <file>                The file path to write verbose logging
                                information.
 -n,--noupdate                  Disables the automatic updating of the
                                NVD-CVE, hosted-suppressions and RetireJS
                                data.
    --nvdApiKey <apiKey>        The API Key to access the NVD API.
 -o,--out <path>                The folder to write reports to. This
                                defaults to the current directory. It is
                                possible to set this to a specific file
                                name if the format argument is not set to
                                ALL.
    --prettyPrint               When specified the JSON and XML report
                                formats will be pretty printed.
    --project <name>            The name of the project being scanned.
 -s,--scan <path>               The path to scan - this option can be
                                specified multiple times. Ant style paths
                                are supported (e.g. 'path/**/*.jar'); if
                                using Ant style paths it is highly
                                recommended to quote the argument value.
    --suppression <file>        The file path to the suppression XML file.
                                This can be specified more then once to
                                utilize multiple suppression files
 -v,--version                   Print the version information.

C:\dependency-check\bin>

用法

注意 Dependency Check 使用線上資料庫，所以必須連上 Internet 才行。

dependency-check.bat --project "'方案/專案名稱" --scan "bin目錄" --out "輸出檔案 or 輸出檔案目錄"

掃描 .NET 方案，另外要安裝 .NET Core 3.1 SDK

( 只安裝 .NET Core Runtime 3.1 不行，另外 .NET 5.0 和 .NET Framework 4.8 是另外的東西)

https://dotnet.microsoft.com/download

敝人掃描使用 .NET Framework 4.8 的 WebForm WebApplication 方案，

虛擬機 Windows 10 每次測試都還原快照，

實驗1：.NET Framework 4.8 Runtime 失敗

實驗2：.NET Framework 4.8 Dev Pack 失敗

實驗3：.NET Core 3.1 Runtime 失敗

實驗4：.NET Core 3.1 SDK 成功

沒安裝 .NET Core 3.1 SDK 會有下面畫面

dependency-check.bat --project "WebApplication1" --scan "C:\Code\WebApplication1\WebApplication1\bin" --out "C:\Temp"

C:\>C:\dependency-check\bin\dependency-check.bat --project "WebApplication1" --scan
   "C:\Code\WebApplication1\WebApplication1\bin" --out "C:\Temp"
[INFO] Checking for updates
[INFO] Skipping NVD check since last check was within 4 hours.
[INFO] Skipping RetireJS update since last update was within 24 hours.
[INFO] Check for updates complete (250 ms)
[INFO]

Dependency-Check is an open source tool performing a best effort analysis of 3rd party 
dependencies; false positives and false negatives may exist in the analysis performed by 
the tool. Use of the tool and the reporting provided constitutes acceptance for use in 
an AS IS condition, and there are NO warranties, implied or otherwise, with regard to 
the analysis or its use. Any use of the tool and the reporting provided is at the user’s 
risk. In no event shall the copyright holder or OWASP be held liable for any damages 
whatsoever arising out of or in connection with the use of this tool, the analysis 
performed, or the resulting report.


   About ODC: https://jeremylong.github.io/DependencyCheck/general/internals.html
   False Positives: https://jeremylong.github.io/DependencyCheck/general/suppression.html

? Sponsor: https://github.com/sponsors/jeremylong


[INFO] Analysis Started
[INFO] Finished File Name Analyzer (0 seconds)
[ERROR] ----------------------------------------------------
[ERROR] .NET Assembly Analyzer could not be initialized and at least one 'exe' or 'dll' was 
scanned. The 'dotnet' executable could not be found on the path; either disable the Assembly 
Analyzer or add the path to dotnet core in the configuration.
[ERROR] ----------------------------------------------------
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (2 seconds)
[INFO] Finished CPE Analyzer (3 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[WARN] Unable to determine Package-URL identifiers for 41 dependencies
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (3 seconds)
[INFO] Writing report to: C:\Temp\dependency-check-report.html

C:\>

9.0.6掃描失敗 (待研究，好像目前需要申請 NVD API Key 才能用)

NVD - API Key Request
https://nvd.nist.gov/developers/request-an-api-key

C:\dependency-check\bin>dependency-check.bat --project "WebApplication1" --scan "C:\Code\WebApplication1\WebApplication1\bin" --out "C:\Temp"
[INFO] Checking for updates
[WARN] An NVD API Key was not provided - it is highly recommended to use an NVD API key as the update can take a VERY long time without an API Key
[INFO] NVD API has 233,564 records in this update
[INFO] Downloaded 10,000/233,564 (4%)
[INFO] Downloaded 20,000/233,564 (9%)
[INFO] Downloaded 30,000/233,564 (13%)
[INFO] Downloaded 40,000/233,564 (17%)
[INFO] Downloaded 50,000/233,564 (21%)
[INFO] Downloaded 60,000/233,564 (26%)
[INFO] Downloaded 70,000/233,564 (30%)
[INFO] Downloaded 80,000/233,564 (34%)
[INFO] Downloaded 90,000/233,564 (39%)
[INFO] Downloaded 100,000/233,564 (43%)
[INFO] Downloaded 110,000/233,564 (47%)
[INFO] Downloaded 120,000/233,564 (51%)
[INFO] Downloaded 130,000/233,564 (56%)
[INFO] Downloaded 140,000/233,564 (60%)
[INFO] Downloaded 150,000/233,564 (64%)
[INFO] Downloaded 160,000/233,564 (69%)
[INFO] Downloaded 170,000/233,564 (73%)
[INFO] Downloaded 180,000/233,564 (77%)
[INFO] Downloaded 190,000/233,564 (81%)
[INFO] Downloaded 200,000/233,564 (86%)
[INFO] Downloaded 210,000/233,564 (90%)
[ERROR] Error updating the NVD Data
org.owasp.dependencycheck.data.update.exception.UpdateException: Error updating the NVD Data
        at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:375)
        at org.owasp.dependencycheck.data.update.NvdApiDataSource.update(NvdApiDataSource.java:115)
        at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:906)
        at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:711)
        at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:637)
        at org.owasp.dependencycheck.App.runScan(App.java:262)
        at org.owasp.dependencycheck.App.run(App.java:194)
        at org.owasp.dependencycheck.App.main(App.java:89)
Caused by: io.github.jeremylong.openvulnerability.client.nvd.NvdApiException: NVD Returned Status Code: 403
        at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next(NvdCveClient.java:357)
        at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:348)
        ... 7 common frames omitted
[ERROR] Failed to initialize the RetireJS repo
org.owasp.dependencycheck.data.update.exception.UpdateException: Failed to initialize the RetireJS repo
        at org.owasp.dependencycheck.data.update.RetireJSDataSource.initializeRetireJsRepo(RetireJSDataSource.java:152)
        at org.owasp.dependencycheck.data.update.RetireJSDataSource.update(RetireJSDataSource.java:95)
        at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:906)
        at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:711)
        at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:637)
        at org.owasp.dependencycheck.App.runScan(App.java:262)
        at org.owasp.dependencycheck.App.run(App.java:194)
        at org.owasp.dependencycheck.App.main(App.java:89)
Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Download failed, unable to copy 'https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json' to 'C:\dependency-check\data\jsrepository.json'; Error downloading file https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json; unable to connect.
        at org.owasp.dependencycheck.utils.Downloader.fetchFile(Downloader.java:150)
        at org.owasp.dependencycheck.utils.Downloader.fetchFile(Downloader.java:99)
        at org.owasp.dependencycheck.data.update.RetireJSDataSource.initializeRetireJsRepo(RetireJSDataSource.java:150)
        ... 7 common frames omitted
Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Error downloading file https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json; unable to connect.
        at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:267)
        at org.owasp.dependencycheck.utils.HttpResourceConnection.fetch(HttpResourceConnection.java:163)
        at org.owasp.dependencycheck.utils.Downloader.fetchFile(Downloader.java:137)
        ... 9 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:371)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:309)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
        at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
        at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1505)
        at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1420)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
        at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:580)
        at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:183)
        at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:142)
        at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:206)
        ... 11 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
        at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
        at java.base/sun.security.validator.Validator.validate(Validator.java:264)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
        ... 26 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
        at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
        ... 31 common frames omitted
[INFO] Updating CISA Known Exploited Vulnerability list: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
[INFO] Begin database defrag
[INFO] End database defrag (2726 ms)
[WARN] Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
[ERROR] Unable to continue dependency-check analysis.
[ERROR] One or more fatal errors occurred
[ERROR] Failed to initialize the RetireJS repo
[ERROR] No documents exist

C:\dependency-check\bin>
C:\dependency-check\bin>

申請收到信件

Request for NVD API Key
收件匣

nvd-noreply@nist.gov
上午10:31 (6 分鐘前)
寄給 我

Thank you for your request for an NVD API Key. Please click the link below to confirm your receipt of this email and activate your API Key. If your key is not activated within seven days, a request for a new API Key must be submitted.

https://nvd.nist.gov/developers/confirm-api-key?uuid=略

For additional information on both the CVE and CPE API, please visit https://nvd.nist.gov/developers.

If you did not request an API Key from the NVD, please contact NVD Support at nvd@nist.gov.

V/r
National Vulnerability Database Team
nvd@nist.gov

點信中連結

NVD API Key Activated
Thank you for confirming your request for an NVD API key. Please securely save this key. Once you close or leave this page, the key will no longer be accessible from this link. If you lose or forget your API key you must request a new one. There is no process for recovering an API Key.

API Key: 略 

To request a new API key, please resubmit an API Key Request. Please note that activating a new key will deactivate the key shown above.

再次掃描 (加上

C:\dependency-check\bin>dependency-check.bat --project "WebApplication1" --scan "C:\Code\WebApplication1\WebApplication1\bin" --out "C:\Temp"  --nvdApiKey 略
[INFO] Checking for updates
[ERROR] Error updating the NVD Data
org.owasp.dependencycheck.data.update.exception.UpdateException: Error updating the NVD Data
        at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:375)
        at org.owasp.dependencycheck.data.update.NvdApiDataSource.update(NvdApiDataSource.java:115)
        at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:906)
        at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:711)
        at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:637)
        at org.owasp.dependencycheck.App.runScan(App.java:262)
        at org.owasp.dependencycheck.App.run(App.java:194)
        at org.owasp.dependencycheck.App.main(App.java:89)
Caused by: io.github.jeremylong.openvulnerability.client.nvd.NvdApiException: NVD Returned Status Code: 404
        at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next(NvdCveClient.java:357)
        at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:348)
        ... 7 common frames omitted
[ERROR] Failed to initialize the RetireJS repo
org.owasp.dependencycheck.data.update.exception.UpdateException: Failed to initialize the RetireJS repo
        at org.owasp.dependencycheck.data.update.RetireJSDataSource.initializeRetireJsRepo(RetireJSDataSource.java:152)
        at org.owasp.dependencycheck.data.update.RetireJSDataSource.update(RetireJSDataSource.java:95)
        at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:906)
        at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:711)
        at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:637)
        at org.owasp.dependencycheck.App.runScan(App.java:262)
        at org.owasp.dependencycheck.App.run(App.java:194)
        at org.owasp.dependencycheck.App.main(App.java:89)
Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Download failed, unable to copy 'https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json' to 'C:\dependency-check\data\jsrepository.json'; Error downloading file https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json; unable to connect.
        at org.owasp.dependencycheck.utils.Downloader.fetchFile(Downloader.java:150)
        at org.owasp.dependencycheck.utils.Downloader.fetchFile(Downloader.java:99)
        at org.owasp.dependencycheck.data.update.RetireJSDataSource.initializeRetireJsRepo(RetireJSDataSource.java:150)
        ... 7 common frames omitted
Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Error downloading file https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json; unable to connect.
        at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:267)
        at org.owasp.dependencycheck.utils.HttpResourceConnection.fetch(HttpResourceConnection.java:163)
        at org.owasp.dependencycheck.utils.Downloader.fetchFile(Downloader.java:137)
        ... 9 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:371)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:309)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
        at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
        at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1505)
        at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1420)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
        at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:580)
        at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:183)
        at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:142)
        at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:206)
        ... 11 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
        at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
        at java.base/sun.security.validator.Validator.validate(Validator.java:264)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
        ... 26 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
        at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
        ... 31 common frames omitted
[INFO] Skipping Known Exploited Vulnerabilities update check since last check was within 24 hours.
[WARN] Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
[ERROR] Unable to continue dependency-check analysis.
[ERROR] One or more fatal errors occurred
[ERROR] Failed to initialize the RetireJS repo
[ERROR] No documents exist

C:\dependency-check\bin>

再次掃描，用 -n 參數不更新

C:\dependency-check\bin>dependency-check.bat --project "WebApplication1" --scan "C:\Code\WebApplication1\WebApplication1\bin" --out "C:\Temp"  --nvdApiKey 略  -n
[INFO]

Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user's risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.


   About ODC: https://jeremylong.github.io/DependencyCheck/general/internals.html
   False Positives: https://jeremylong.github.io/DependencyCheck/general/suppression.html

? Sponsor: https://github.com/sponsors/jeremylong


[INFO] Analysis Started
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Assembly Analyzer (1 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (1 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (1 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Known Exploited Vulnerability Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Finished Unused Suppression Rule Analyzer (0 seconds)
[INFO] Analysis Complete (3 seconds)
[INFO] Writing HTML report to: C:\Temp\dependency-check-report.html

C:\dependency-check\bin>

********************************************************************************

這次不用 NVD API Key，但有 -n 參數

C:\dependency-check\bin>dependency-check.bat --project "WebApplication1" --scan "C:\Code\WebApplication1\WebApplication1\bin" --out "C:\Temp"  -n
[INFO]

Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user's risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.


   About ODC: https://jeremylong.github.io/DependencyCheck/general/internals.html
   False Positives: https://jeremylong.github.io/DependencyCheck/general/suppression.html

? Sponsor: https://github.com/sponsors/jeremylong


[INFO] Analysis Started
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Assembly Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (1 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Known Exploited Vulnerability Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Finished Unused Suppression Rule Analyzer (0 seconds)
[INFO] Analysis Complete (2 seconds)
[INFO] Writing HTML report to: C:\Temp\dependency-check-report.html

C:\dependency-check\bin>

********************************************************************************

比對執行過和未執行過的。

********************************************************************************

舊版4.0成功掃描結果如下：

C:\>cd C:\dependency-check\bin

C:\dependency-check\bin>dependency-check.bat --project "WebApplication1" --scan
   "C:\WebApplication1\WebApplication1\bin" --out "C:\Temp"
[INFO] Checking for updates
[INFO] NVD CVE requires several updates; this could take a couple of minutes.
[INFO] Download Started for NVD CVE - 2003
[INFO] Download Started for NVD CVE - 2002
[INFO] Download Complete for NVD CVE - 2003  (1637 ms)
[INFO] Download Started for NVD CVE - 2004
[INFO] Processing Started for NVD CVE - 2003
[INFO] Download Complete for NVD CVE - 2002  (2234 ms)
[INFO] Download Started for NVD CVE - 2005
[INFO] Processing Started for NVD CVE - 2002
[INFO] Processing Complete for NVD CVE - 2003  (1673 ms)
[INFO] Processing Complete for NVD CVE - 2002  (3447 ms)
[INFO] Download Complete for NVD CVE - 2004  (5371 ms)
[INFO] Download Started for NVD CVE - 2006
[INFO] Processing Started for NVD CVE - 2004
[INFO] Processing Complete for NVD CVE - 2004  (2557 ms)
[INFO] Download Complete for NVD CVE - 2005  (13303 ms)
[INFO] Download Started for NVD CVE - 2007
[INFO] Processing Started for NVD CVE - 2005
[INFO] Download Complete for NVD CVE - 2006  (9562 ms)
[INFO] Download Started for NVD CVE - 2008
[INFO] Processing Started for NVD CVE - 2006
[INFO] Download Complete for NVD CVE - 2007  (2447 ms)
[INFO] Download Started for NVD CVE - 2009
[INFO] Processing Started for NVD CVE - 2007
[INFO] Processing Complete for NVD CVE - 2005  (5133 ms)
[INFO] Download Complete for NVD CVE - 2009  (3252 ms)
[INFO] Download Started for NVD CVE - 2010
[INFO] Processing Started for NVD CVE - 2009
[INFO] Download Complete for NVD CVE - 2008  (7546 ms)
[INFO] Download Started for NVD CVE - 2011
[INFO] Processing Started for NVD CVE - 2008
[INFO] Download Complete for NVD CVE - 2010  (2988 ms)
[INFO] Download Started for NVD CVE - 2012
[INFO] Processing Started for NVD CVE - 2010
[INFO] Processing Complete for NVD CVE - 2006  (9601 ms)
[INFO] Download Complete for NVD CVE - 2012  (2472 ms)
[INFO] Download Started for NVD CVE - 2013
[INFO] Processing Started for NVD CVE - 2012
[INFO] Download Complete for NVD CVE - 2011  (3095 ms)
[INFO] Download Started for NVD CVE - 2014
[INFO] Processing Started for NVD CVE - 2011
[INFO] Processing Complete for NVD CVE - 2007  (10145 ms)
[INFO] Download Complete for NVD CVE - 2013  (2599 ms)
[INFO] Download Started for NVD CVE - 2015
[INFO] Processing Started for NVD CVE - 2013
[INFO] Download Complete for NVD CVE - 2014  (2599 ms)
[INFO] Download Started for NVD CVE - 2016
[INFO] Processing Started for NVD CVE - 2014
[INFO] Download Complete for NVD CVE - 2015  (2683 ms)
[INFO] Processing Started for NVD CVE - 2015
[INFO] Download Started for NVD CVE - 2017
[INFO] Download Complete for NVD CVE - 2016  (3402 ms)
[INFO] Processing Started for NVD CVE - 2016
[INFO] Download Started for NVD CVE - 2018
[INFO] Download Complete for NVD CVE - 2017  (4516 ms)
[INFO] Processing Started for NVD CVE - 2017
[INFO] Download Started for NVD CVE - 2019
[INFO] Download Complete for NVD CVE - 2018  (4226 ms)
[INFO] Processing Started for NVD CVE - 2018
[INFO] Download Started for NVD CVE - 2020
[INFO] Download Complete for NVD CVE - 2019  (3122 ms)
[INFO] Processing Started for NVD CVE - 2019
[INFO] Download Started for NVD CVE - 2021
[INFO] Processing Complete for NVD CVE - 2009  (25004 ms)
[INFO] Download Complete for NVD CVE - 2020  (18381 ms)
[INFO] Processing Started for NVD CVE - 2020
[INFO] Processing Complete for NVD CVE - 2008  (33324 ms)
[INFO] Download Complete for NVD CVE - 2021  (19030 ms)
[INFO] Processing Started for NVD CVE - 2021
[INFO] Processing Complete for NVD CVE - 2010  (37242 ms)
[INFO] Processing Complete for NVD CVE - 2015  (41766 ms)
[INFO] Processing Complete for NVD CVE - 2011  (48061 ms)
[INFO] Processing Complete for NVD CVE - 2014  (46927 ms)
[INFO] Processing Complete for NVD CVE - 2016  (47451 ms)
[INFO] Processing Complete for NVD CVE - 2012  (54617 ms)
[INFO] Processing Complete for NVD CVE - 2021  (23563 ms)
[INFO] Processing Complete for NVD CVE - 2019  (45071 ms)
[INFO] Processing Complete for NVD CVE - 2018  (47689 ms)
[INFO] Processing Complete for NVD CVE - 2013  (55981 ms)
[INFO] Processing Complete for NVD CVE - 2017  (49491 ms)
[INFO] Processing Complete for NVD CVE - 2020  (32336 ms)
[INFO] Download Started for NVD CVE - Modified
[INFO] Download Complete for NVD CVE - Modified  (2267 ms)
[INFO] Processing Started for NVD CVE - Modified
[INFO] Processing Complete for NVD CVE - Modified  (1786 ms)
[INFO] Begin database maintenance
[INFO] Updated the CPE ecosystem on 117835 NVD records
[INFO] Removed the CPE ecosystem on 3827 NVD records
[INFO] End database maintenance (31425 ms)
[INFO] Begin database defrag
[INFO] End database defrag (4704 ms)
[INFO] Check for updates complete (147407 ms)
[INFO]

Dependency-Check is an open source tool performing a best effort analysis of 3rd party 
dependencies; false positives and false negatives may exist in the analysis performed 
by the tool. Use of the tool and the reporting provided constitutes acceptance for
 use in an AS IS condition, and there are NO warranties, implied or otherwise, with 
regard to the analysis or its use. Any use of the tool and the reporting provided is 
at the user’s risk. In no event shall the copyright holder or OWASP be held liable for
 any damages whatsoever arising out of or in connection with the use of this tool, 
the analysis performed, or the resulting report.


   About ODC: https://jeremylong.github.io/DependencyCheck/general/internals.html
   False Positives: https://jeremylong.github.io/DependencyCheck/general/suppression.html

? Sponsor: https://github.com/sponsors/jeremylong


[INFO] Analysis Started
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Assembly Analyzer (1 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (1 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (1 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (4 seconds)
[INFO] Writing report to: C:\Temnp\dependency-check-report.html

C:\TEMP\dependency-check\bin>

掃描 Java 專案，可能也另外要安裝 Java SDK 。（敝人沒測)

另外，明明是 .NET Framework 4.8 的方案，結果仍需要 .NET Core 3.1 SDK 才能分析，也不需要 .NET Framework 4.8 SDK ( Dev Pack )，結果有點令人懷疑 (有空再研究)。

(完)

相關

[研究] OWASP Dependency-Check 9.0.6 元件依賴關係檢查工具
https://shaurong.blogspot.com/2023/12/owasp-dependency-check-906.html

[研究] OWASP Dependency Check 6.2.2 元件依賴關係檢查工具https://shaurong.blogspot.com/2021/08/owasp-dependency-check-622.html

[研究] OWASP Dependency Check 4.0.0 元件依賴關係檢查http://shaurong.blogspot.com/2018/12/owasp-dependency-check-400.html

浮雲雅築

2023年12月18日星期一

[研究] OWASP Dependency-Check 9.0.6 元件依賴關係檢查工具

沒有留言:

張貼留言

2023年12月18日 星期一

[研究] OWASP Dependency-Check 9.0.6 元件依賴關係檢查工具

沒有留言:

張貼留言

2023年12月18日星期一