Recently on December 9th, 2021, a 0-day exploit in the popular Java logging library log4j2 was discovered that resulted in Remote Code Execution (RCE) by logging a certain string. – CVE-2021-44228. This vulnerability got fixed in log4j 2.15.0.
After that two new vulnerabilities named, CVE-2021-45046 and CVE-2021-45105, were introduced in log4j2, and they were fixed in the latest log4j2 version 2.17.0. This story is about just one open-source library. Similarly, we use many 3rd party libraries in our projects and it is very difficult to track which libraries are safe to use. We deploy applications on production and it is a high-security concern that delivered code has vulnerabilities.
To overcome this problem, OWASP offers an open-source vulnerabilities scan tool to scan and identify vulnerabilities in our code.
The Open Web Application Security Project (OWASP) is a non-profit foundation that works to improve the security of software. OWASP Foundation is the source for developers and technologists to secure the web. Its community-driven open-source software projects, cover hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences.
Scan Tool Overview
Vulnerabilities are scanned via dependency check tool. It is an open-source Software Composition Analysis (SCA) tool. It detects publicly disclosed vulnerabilities contained within a project’s dependencies. In a way, it is used to find vulnerabilities that exist in 3rd party dependencies/libraries. It scans applications (and their dependent libraries) to identify any known vulnerable components.
The tool is part of a solution under OWASP Top 10 2017 A9-Using Components with Known Vulnerabilities
Dependency-check has a command-line interface, a Maven plugin, a Gradle plugin, an Ant task, and a Jenkins plugin. The core engine contains a series of analysers that inspect the project dependencies, collect pieces of information about the dependencies (referred to as evidence within the tool). The evidence is then used to identify the Common Platform Enumeration (CPE) or the given dependency. If a CPE is identified, a listing of associated Common Vulnerability and Exposure (CVE) entries is listed in a report.
Dependency-check automatically updates itself using the NVD Data Feeds hosted by NIST.
Note: The initial download of the data may take ten minutes or more. If you run the tool at least once every seven days, only a small JSON file needs to be downloaded to keep the local copy of the data updated.
For further details, please refer to this OWASP Dependency-Check
Different ways to use tools with projects
This tool is used to scan Java, .NET, Node.js based projects.
We will see how to configure and use this tool in Java-based projects using a command-line interface, Maven plugin, and Gradle plugin.
OWASP dependency-check-cli is a command-line tool that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the scanned project dependencies. The tool will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.
Refer this page – OWASP Dependency-Check and download zip file to use tool in Windows or Unix based system.
Windows: dependency-check.bat file
Unix: dependency-check.sh file
Sample usage in Unix system:
$ ./dependency-check.sh –project “sb-application” –scan “/home/ /sb-application-lib/sb-application”
[INFO] Checking for updates
[INFO] NVD CVE requires several updates; this could take a couple of minutes.
[INFO] Download Started for NVD CVE – 2002
[INFO] Download Complete for NVD CVE – 2002 (7652 ms)
[INFO] Processing Started for NVD CVE – 2002
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.fasterxml.Jackson.module.afterburner.util.MyClassLoader (file:/home/shardulbanker/Documents/OWASP/dependency-check-6.5.1-release/dependency-check/lib/jackson-module-afterburner-2.13.0.jar) to method java.lang.ClassLoader.findLoadedClass(java.lang.String)
WARNING: Please consider reporting this to the maintainers of com.fasterxml.Jackson.module.afterburner.util.MyClassLoader
WARNING: Use –illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
[INFO] Download Started for NVD CVE – 2003
[INFO] Processing Complete for NVD CVE – 2002 (4095 ms)
[INFO] Download Complete for NVD CVE – 2003 (4081 ms)
[INFO] Processing Started for NVD CVE – 2003
[INFO] Processing Complete for NVD CVE – 2003 (686 ms)
[INFO] Download Started for NVD CVE – 2004
[INFO] Download Complete for NVD CVE – 2004 (5729 ms)
[INFO] Created CPE Index (1 second)
[INFO] Finished CPE Analyzer (2 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (6 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (11 seconds)
[INFO] Writing report to: /home/shardulbanker/Documents/OWASP/dependency-check-6.5.1-release/dependency-check/bin/./dependency-check-report.html
If you want to know more about various other command-line options, please refer to this link