Third-party libraries and frameworks are commonly used in software development to provide useful functionality without having to build everything from scratch. However, incorporating third-party code also introduces security risks if those libraries contain vulnerabilities. Using components with known vulnerabilities is one of the top application security risks according to OWASP. To help identify and mitigate these risks, OWASP provides an open-source tool called Dependency-Check.
In this comprehensive guide, we’ll explore how Dependency-Check works, its key benefits, and potential limitations to be aware of.
Introduction to OWASP Dependency-Check
OWASP Dependency-Check is a free software composition analysis (SCA) tool that helps identify vulnerabilities in third-party libraries and dependencies used by Java, .NET, Python, Ruby, and other applications.
The tool works by analyzing project dependencies and matching them against the National Vulnerability Database (NVD), which contains a repository of known vulnerabilities identified by Common Vulnerabilities and Exposures (CVE) identifiers. Dependency-Check generates detailed reports showing any vulnerable libraries, the associated CVEs, severity ratings, and remediation guidance.
This automated analysis helps developers and security teams identify risky dependencies early in the development process, allowing vulnerabilities to be remediated proactively before software release. Integrating Dependency-Check into the build pipeline provides continuous visibility into vulnerable components before they can be exploited.
Now let’s look at how Dependency-Check works under the hood.
How OWASP Dependency-Check Works
Dependency-Check works through several steps:
1. Analyzing Project Dependencies
The first phase involves analyzing the application source code and metadata to identify dependencies used by the project. Dependency-Check looks for evidence such as:
- Manifests (e.g. pom.xml in Maven)
- Package manager files (e.g. requirements.txt in Python)
- Binary analysis of libraries and assemblies
Dependency-Check uses a series of analyzers to extract vendor, product, and version information from scanned files to build up evidence about project dependencies.
<!-- Maven pom.xml showing project dependencies -->
<dependencies>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.12.0</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>5.3.18</version>
</dependency>
</dependencies>
The evidence collected is assigned a confidence rating based on the reliability of the source.
2. Identifying Dependencies via Common Platform Enumeration (CPE)
Next, Dependency-Check attempts to identify the Common Platform Enumeration (CPE) identifier for each dependency.
CPE provides a standardized method for naming software and hardware components, including the vendor, product family, major version, minor version, patch level, and other distinguishing information.
For example, a specific version of the Spring Framework library would have a CPE identifier like:
cpe:2.3:a:pivotal_software:spring_framework:5.3.18:*:*:*:*:*:*:*
The CPE identifier allows Dependency-Check to uniquely pinpoint the exact component being used. If evidence is conflicting, the CPE confidence score will reflect the uncertainty.
3. Comparing Against Vulnerability Database
Once CPE data has been compiled, Dependency-Check compares it against the National Vulnerability Database (NVD) to identify any known vulnerabilities.
The NVD provides CVE (Common Vulnerabilities and Exposures) data through an online searchable database. Each CVE entry contains information about a specific vulnerability such as a description, severity scores, and references to advisories or patches.
By matching CPE identifiers against the NVD data, Dependency-Check can automatically flag vulnerable libraries being used by the application.
4. Analyzing Vulnerability Details
If a vulnerable component is identified, Dependency-Check will gather additional details about the issue from the CVE entry and other sources such as:
- Description of the vulnerability
- Severity scores (CVSS)
- References to security advisories about the issue
- Information about vulnerable configurations
- Available patches, upgrades, or workarounds
This information enables developers to better understand risk levels and remediation options.
5. Reporting Results
Finally, Dependency-Check generates a detailed report in HTML or XML format showing all vulnerabilities found, along with:
- List of affected libraries/dependencies
- CVE and CPE identifiers
- Severity score metrics
- Links to remediation guidance
The reports provide an easy way to consume vulnerability scan results and share findings with stakeholders to support remediation efforts.
Key Benefits of Using OWASP Dependency-Check
Let’s explore some of the main benefits of using Dependency-Check:
Automates Vulnerability Detection
Dependency-Check automates the process of scanning project dependencies for known vulnerable components, freeing developers from having to conduct manual reviews. Automating this analysis ensures vulnerabilities are consistently detected and flagged for remediation in a standardized way.
Integrates with Build Tools
In addition to the command line interface, Dependency-Check can integrate directly into build tools like Maven and Jenkins. This enables automatic scanning of dependencies as part of the application build pipeline. Vulnerabilities can be detected early during development, rather than later in production.
Provides Actionable Results
The detailed reports provide developers and security teams with the information needed to take action on identified vulnerabilities. CVE links provide background details while severity scores help prioritize the most critical issues.
Supports Multiple Languages
While Java and .NET are fully supported, Dependency-Check also includes experimental support for Python, Ruby, and Node.js. This makes it useful for polyglot projects using different languages and frameworks.
Regular Vulnerability Database Updates
The NVD vulnerability data leveraged by Dependency-Check is updated frequently as new issues are discovered. Daily and weekly updates are available, ensuring the tool can detect emerging threats.
Open Source Tool
Dependency-Check is open source which allows community involvement to contribute updates and new capabilities. The source code is freely available for review and customization if needed.
Detailed Troubleshooting Information
In addition to the reports, Dependency-Check provides troubleshooting information such as logging and the ability to inspect evidence sources and analysis. This helps debug any issues with dependency detection.
Potential Limitations to Consider
While Dependency-Check is a useful tool, it’s important to be aware of some limitations:
Possibility of False Positives
Incorrect or outdated metadata could result in false positives where Dependency-Check flags a dependency as vulnerable when it’s not. For example, if evidence about the version is wrong or a vulnerability was fixed in a newer release. Some manual verification of results may be warranted.
Limited to Known Vulnerabilities
Dependency-Check can only detect vulnerabilities that are already documented in the NVD database. New zero-day vulnerabilities or those not yet cataloged will be missed. Periodic rescans are needed to detect new issues.
Transitive Dependencies Can Be Difficult
Analyzing transitive dependencies that are included indirectly can be challenging. Multiple levels of dependencies may need to be recursively scanned. Suppression rules can help reduce noise from indirect dependencies.
Manual Remediation Required
While Dependency-Check finds vulnerabilities, it does not automatically fix or upgrade dependencies. Developers need to implement suggested remediation guidance manually based on the reports.
Potential Performance Overhead
Scanning dependencies during builds may add extra processing overhead, increasing build times. Caching and other optimizations can help minimize impact.
Limited Language Support Currently
The core Java and .NET analyzers tend to be the most robust. Support for additional languages like Python, Ruby, C/C++ is still evolving.
Conclusion
In summary, OWASP Dependency-Check is a valuable free tool that can help identify vulnerable components used by software applications. By automatically matching project dependencies against known vulnerabilities, issues can be detected proactively. Integrating Dependency-Check into CI/CD pipelines enables continuous visibility and prompts developers to remediate problems.