OWASP Vulnerabilities Scan Tool
Recently on December 9th, 2021, a 0-day exploit in the popular Java logging library log4j2 was discovered that resulted in Remote Code Execution (RCE) by logging a certain string. – CVE-2021-44228. This vulnerability got fixed in log4j 2.15.0.
After that two new vulnerabilities named, CVE-2021-45046 and CVE-2021-45105, were introduced in log4j2, and they were fixed in the latest log4j2 version 2.17.0. This story is about just one open-source library. Similarly, we use many 3rd party libraries in our projects and it is very difficult to track which libraries are safe to use. We deploy applications on production and it is a high-security concern that delivered code has vulnerabilities.
To overcome this problem, OWASP offers an open-source vulnerabilities scan tool to scan and identify vulnerabilities in our code.
The Open Web Application Security Project (OWASP) is a non-profit foundation that works to improve the security of software. OWASP Foundation is the source for developers and technologists to secure the web. Its community-driven open-source software projects, cover hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences.
Scan Tool Overview
Vulnerabilities are scanned via dependency check tool. It is an open-source Software Composition Analysis (SCA) tool. It detects publicly disclosed vulnerabilities contained within a project’s dependencies. In a way, it is used to find vulnerabilities that exist in 3rd party dependencies/libraries. It scans applications (and their dependent libraries) to identify any known vulnerable components.
The tool is part of a solution under OWASP Top 10 2017 A9-Using Components with Known Vulnerabilities
Dependency-check has a command-line interface, a Maven plugin, a Gradle plugin, an Ant task, and a Jenkins plugin. The core engine contains a series of analysers that inspect the project dependencies, collect pieces of information about the dependencies (referred to as evidence within the tool). The evidence is then used to identify the Common Platform Enumeration (CPE) or the given dependency. If a CPE is identified, a listing of associated Common Vulnerability and Exposure (CVE) entries is listed in a report.
Dependency-check automatically updates itself using the NVD Data Feeds hosted by NIST.
Note: The initial download of the data may take ten minutes or more. If you run the tool at least once every seven days, only a small JSON file needs to be downloaded to keep the local copy of the data updated.
For further details, please refer to this OWASP Dependency-Check
Different ways to use tools with projects
This tool is used to scan Java, .NET, Node.js based projects.
We will see how to configure and use this tool in Java-based projects using a command-line interface, Maven plugin, and Gradle plugin.
OWASP dependency-check-cli is a command-line tool that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the scanned project dependencies. The tool will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.
Refer this page - OWASP Dependency-Check and download zip file to use tool in Windows or Unix based system.
Windows: dependency-check.bat file
Unix: dependency-check.sh file
Sample usage in Unix system:
$ ./dependency-check.sh –project “sb-application” –scan “/home/ /sb-application-lib/sb-application”
[INFO] Checking for updates
[INFO] NVD CVE requires several updates; this could take a couple of minutes.
[INFO] Download Started for NVD CVE – 2002
[INFO] Download Complete for NVD CVE – 2002 (7652 ms)
[INFO] Processing Started for NVD CVE – 2002
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.fasterxml.Jackson.module.afterburner.util.MyClassLoader (file:/home/shardulbanker/Documents/OWASP/dependency-check-6.5.1-release/dependency-check/lib/jackson-module-afterburner-2.13.0.jar) to method java.lang.ClassLoader.findLoadedClass(java.lang.String)
WARNING: Please consider reporting this to the maintainers of com.fasterxml.Jackson.module.afterburner.util.MyClassLoader
WARNING: Use –illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
[INFO] Download Started for NVD CVE – 2003
[INFO] Processing Complete for NVD CVE – 2002 (4095 ms)
[INFO] Download Complete for NVD CVE – 2003 (4081 ms)
[INFO] Processing Started for NVD CVE – 2003
[INFO] Processing Complete for NVD CVE – 2003 (686 ms)
[INFO] Download Started for NVD CVE – 2004
[INFO] Download Complete for NVD CVE – 2004 (5729 ms)
[INFO] Created CPE Index (1 second)
[INFO] Finished CPE Analyzer (2 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (6 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (11 seconds)
[INFO] Writing report to: /home/shardulbanker/Documents/OWASP/dependency-check-6.5.1-release/dependency-check/bin/./dependency-check-report.html
If you want to know more about various other command-line options, please refer to this link
Using Maven project
Add below dependency to pom.xml file.
Add plugin configuration in pom.xml as below.
Now, we can try running the tool using the check command.
$ mvn org.owasp:dependency-check-maven:check
The above report lists down a summary of vulnerable dependencies, the vulnerability found, and various other details about each dependency used by the project.
Note that the default configuration runs on the maven verify cycle. For instance, if you execute mvn clean verify the Dependency-Check plugin will run after all tests.
Additionally, the plugin generates an HTML report under target/dependency-check-report.html.
If you are happy with the default configuration then no additional action is required. But if you want to configure and customize the plugin then take a look at this page.
As per above, I have added one of the configuration parameters- failBuildOnCVSS. This will fail the build if the severity of the vulnerability exceeds the current threshold value (7). You can refer to the CVSS3.0 specification.
Using Gradle project
Add below dependency in build. Gradle file.
Run the below task to generate the report.
$ gradle dependencyCheckAnalyze
This will generate a default report named build/reports/dependency-check-report.html.
You can customize and add additional configurations as part of the below task. Various supported configuration options are available here.
Generate HTML and JSON based reports by adding below task in build.gradle.
Below Gradle tasks are also available.
Fix vulnerability detected
When a vulnerability is detected, the best approach to fix is to upgrade the faulty dependency to the latest version. If the library is unmaintained anymore, consider finding a replacement of library and use same in the project.
But it is not always that easy. Because the plugin scans the dependencies of dependencies as well. Hence, if one of the dependencies of your project dependency has a vulnerability, you need to find it out and fix the issue. In such a case, it makes sense to generate the dependency tree of the project in which the mvn dependency: tree / Gradle dependencies command comes handy.
Based on the above discussion, it is clear that using open-source tools and libraries in your project is always vulnerable. It doesn’t mean that we should not use open-source tools and libraries, because commercial and closed source tools and libraries are also vulnerable. What we can do is, we can add a layer of security in our project development lifecycle by using security vulnerability scan tools. Based on the severity/impact and CVSS score reported by these scan tools we can take proper mitigation steps to resolve vulnerabilities. We can even automate this process by introducing this scan tool as part of the CI/CD pipeline (Jenkins, TeamCity, Bamboo, etc.).