github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-17 17:21:53 +01:00
Code Issues Packages Projects Releases Wiki Activity

documentation v1.3.1

Browse Source
This commit is contained in:
Jeremy Long
2015-09-20 07:41:29 -04:00
parent 4fd8873223
commit 191c5fae56
1456 changed files with 125936 additions and 63077 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
general/dep-check-date.sh Normal file
View File

@@ -0,0 +1,11 @@
#!/bin/sh
CLI_LOCATION=~/.local/dependency-check-1.2.11
CLI_SCRIPT=$CLI_LOCATION/bin/dependency-check.sh
NVD_PATH=$1/`date -I -d $2`
NVD=file://$NVD_PATH
shift 2 # We've used the first two params. The rest go to CLI_SCRIPT.
$CLI_SCRIPT --cveUrl20Base $NVD/nvdcve-2.0-%d.xml.gz \
--cveUrl12Base $NVD/nvdcve-%d.xml.gz \
--cveUrl20Modified $NVD/nvdcve-2.0-Modified.xml.gz \
--cveUrl12Modified $NVD/nvdcve-Modified.xml.gz \
--data $NVD_PATH $@

77
general/internals.html
View File

@@ -1,21 +1,21 @@
<!DOCTYPE html>
<!--
| Generated by Apache Maven Doxia at 2015-08-04
| Rendered using Apache Maven Fluido Skin 1.3.1
| Generated by Apache Maven Doxia at 2015-09-20
| Rendered using Apache Maven Fluido Skin 1.4
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="Date-Revision-yyyymmdd" content="20150804" />
<meta name="Date-Revision-yyyymmdd" content="20150920" />
<meta http-equiv="Content-Language" content="en" />
<title>dependency-check - How does dependency-check work?</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.3.1.min.css" />
<title>dependency-check &#x2013; How does dependency-check work?</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.4.min.css" />
<link rel="stylesheet" href="../css/site.css" />
<link rel="stylesheet" href="../css/print.css" media="print" />
<script type="text/javascript" src="../js/apache-maven-fluido-1.3.1.min.js"></script>
<script type="text/javascript" src="../js/apache-maven-fluido-1.4.min.js"></script>
@@ -29,7 +29,7 @@
<a href="http://github.com/jeremylong/DependencyCheck">
<a href="https://github.com/jeremylong/DependencyCheck">
<img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
src="https://s3.amazonaws.com/github/ribbons/forkme_right_gray_6d6d6d.png"
alt="Fork me on GitHub">
@@ -62,9 +62,9 @@
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2015-08-04</li>
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2015-09-20</li>
<li id="projectVersion" class="pull-right">
Version: 1.3.0
Version: 1.3.1
</li>
</ul>
@@ -72,97 +72,111 @@
<div class="row-fluid">
<div id="leftColumn" class="span3">
<div id="leftColumn" class="span2">
<div class="well sidebar-nav">
<ul class="nav nav-list">
<li class="nav-header">OWASP dependency-check</li>
<li>
<a href="../index.html" title="General">
<i class="icon-chevron-down"></i>
<span class="icon-chevron-down"></span>
General</a>
<ul class="nav nav-list">
<li class="active">
<a href="#"><i class="none"></i>How it Works</a>
<a href="#"><span class="none"></span>How it Works</a>
</li>
<li>
<a href="../general/thereport.html" title="Reading the Report">
<i class="none"></i>
<span class="none"></span>
Reading the Report</a>
</li>
<li>
<a href="../general/suppression.html" title="False Positives">
<i class="none"></i>
<span class="none"></span>
False Positives</a>
</li>
<li>
<a href="../data/index.html" title="Internet Access Required">
<i class="icon-chevron-right"></i>
<span class="icon-chevron-right"></span>
Internet Access Required</a>
</li>
<li>
<a href="../related.html" title="Related Work">
<i class="none"></i>
<span class="none"></span>
Related Work</a>
</li>
<li>
<a href="../general/dependency-check.pptx" title="Project Presentation (pptx)">
<i class="none"></i>
<span class="none"></span>
Project Presentation (pptx)</a>
</li>
<li>
<a href="../general/dependency-check.pdf" title="Project Presentation (pdf)">
<i class="none"></i>
<span class="none"></span>
Project Presentation (pdf)</a>
</li>
<li>
<a href="../general/SampleReport.html" title="Sample Report">
<i class="none"></i>
<span class="none"></span>
Sample Report</a>
</li>
<li>
<a href="../general/scan_iso.html" title="How to Scan an ISO Image">
<span class="none"></span>
How to Scan an ISO Image</a>
</li>
</ul>
</li>
<li>
<a href="../analyzers/index.html" title="File Type Analyzers">
<i class="icon-chevron-right"></i>
<span class="icon-chevron-right"></span>
File Type Analyzers</a>
</li>
<li>
<a href="../modules.html" title="Modules">
<i class="icon-chevron-right"></i>
<span class="icon-chevron-right"></span>
Modules</a>
</li>
<li class="nav-header">Project Documentation</li>
<li>
<a href="../project-info.html" title="Project Information">
<i class="icon-chevron-right"></i>
<span class="icon-chevron-right"></span>
Project Information</a>
</li>
<li>
<a href="../project-reports.html" title="Project Reports">
<span class="icon-chevron-right"></span>
Project Reports</a>
</li>
</ul>
@@ -203,20 +217,20 @@
</div>
<div id="bodyColumn" class="span9" >
<div id="bodyColumn" class="span10" >
<h1>How does dependency-check work?</h1>
<p>Dependency-check works by collecting information about the files it scans (using Analyzers). The information collected is called Evidence; there are three types of evidence collected: vendor, product, and version. For instance, the JarAnalyzer will collect information from the Manifest, pom.xml, and the package names within the JAR files scanned and it has heuristics to place the information from the various sources into one or more buckets of evidence.</p>
<p>Within the NVD CVE Data (schema can be found <a class="externalLink" href="http://nvd.nist.gov/schema/nvd-cve-feed_2.0.xsd">here</a>) each CVE Entry has a list of vulnerable software:</p>
<div class="source">
<pre> &lt;entry id=&quot;CVE-2012-5055&quot;&gt;
<div class="source"><pre class="prettyprint linenums"> &lt;entry id=&quot;CVE-2012-5055&quot;&gt;
...
&lt;vuln:vulnerable-software-list&gt;
&lt;vuln:product&gt;cpe:/a:vmware:springsource_spring_security:3.1.2&lt;/vuln:product&gt;
&lt;vuln:product&gt;cpe:/a:vmware:springsource_spring_security:2.0.4&lt;/vuln:product&gt;
&lt;vuln:product&gt;cpe:/a:vmware:springsource_spring_security:3.0.1&lt;/vuln:product&gt;
</pre></div>
</pre></div></div>
<p>These CPE entries are read &#x201c;cpe:/[Entry Type]:[Vendor]:[Product]:[Version]:[Revision]:&#x2026;&#x201d;. The CPE data is collected and stored in a <a class="externalLink" href="http://lucene.apache.org/">Lucene Index</a>. Dependency-check then use the Evidence collected and attempt to match an entry from the Lucene CPE Index. If found, the CPEAnalyzer will add an Identifier to the Dependency and subsequently to the report. Once a CPE has been identified the associated CVE entries are added to the report.</p>
<p>One important point about the evidence is that it is rated using different confidence levels - low, medium, high, and highest. These confidence levels are applied to each item of evidence. When the CPE is determined it is given a confidence level that is equal to the lowest level confidence level of evidence used during identification. If only highest confidence evidence was used in determining the CPE then the CPE would have a highest confidence level.</p>
<p>Because of the way dependency-check works both false positives and false negatives may exist. Please read <a href="thereport.html">How to read the report</a> to get a better understanding of sorting through the false positives and false negatives.</p>
@@ -230,15 +244,14 @@
<footer>
<div class="container-fluid">
<div class="row-fluid">
<p >Copyright &copy; 2012&#x2013;2015
<p >Copyright &copy; 2012&#x2013;2015
<a href="http://www.owasp.org">OWASP</a>.
All rights reserved.
</p>
</div>
</div>
</div>
</footer>
</body>

5
general/nvd_download.sh Normal file
View File

@@ -0,0 +1,5 @@
#!/bin/sh
NVD_ROOT=$1/`date -I`
JAR_PATH=$2/nist-data-mirror-1.0.0.jar
java -jar $JAR_PATH $NVD_ROOT
rm $NVD_ROOT/*.xml # D-C works directly with .gz files anyway.

328
general/scan_iso.html Normal file
View File

@@ -0,0 +1,328 @@
<!DOCTYPE html>
<!--
| Generated by Apache Maven Doxia at 2015-09-20
| Rendered using Apache Maven Fluido Skin 1.4
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="Date-Revision-yyyymmdd" content="20150920" />
<meta http-equiv="Content-Language" content="en" />
<title>dependency-check &#x2013; How to Mount ISO Files for Scanning</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.4.min.css" />
<link rel="stylesheet" href="../css/site.css" />
<link rel="stylesheet" href="../css/print.css" media="print" />
<script type="text/javascript" src="../js/apache-maven-fluido-1.4.min.js"></script>
<style type="text/css">#bannerLeft { margin-top:-20px;margin-bottom:5px !important }</style>
</head>
<body class="topBarDisabled">
<a href="https://github.com/jeremylong/DependencyCheck">
<img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
src="https://s3.amazonaws.com/github/ribbons/forkme_right_gray_6d6d6d.png"
alt="Fork me on GitHub">
</a>
<div class="container-fluid">
<div id="banner">
<div class="pull-left">
<div id="bannerLeft">
<img src="../images/dc.svg" alt="OWASP dependency-check"/>
</div>
</div>
<div class="pull-right"> </div>
<div class="clear"><hr/></div>
</div>
<div id="breadcrumbs">
<ul class="breadcrumb">
<li class="">
<a href="../#" title="">
</a>
<span class="divider">/</span>
</li>
<li class="active ">How to Mount ISO Files for Scanning</li>
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2015-09-20</li>
<li id="projectVersion" class="pull-right">
Version: 1.3.1
</li>
</ul>
</div>
<div class="row-fluid">
<div id="leftColumn" class="span2">
<div class="well sidebar-nav">
<ul class="nav nav-list">
<li class="nav-header">OWASP dependency-check</li>
<li>
<a href="../index.html" title="General">
<span class="icon-chevron-down"></span>
General</a>
<ul class="nav nav-list">
<li>
<a href="../general/internals.html" title="How it Works">
<span class="none"></span>
How it Works</a>
</li>
<li>
<a href="../general/thereport.html" title="Reading the Report">
<span class="none"></span>
Reading the Report</a>
</li>
<li>
<a href="../general/suppression.html" title="False Positives">
<span class="none"></span>
False Positives</a>
</li>
<li>
<a href="../data/index.html" title="Internet Access Required">
<span class="icon-chevron-right"></span>
Internet Access Required</a>
</li>
<li>
<a href="../related.html" title="Related Work">
<span class="none"></span>
Related Work</a>
</li>
<li>
<a href="../general/dependency-check.pptx" title="Project Presentation (pptx)">
<span class="none"></span>
Project Presentation (pptx)</a>
</li>
<li>
<a href="../general/dependency-check.pdf" title="Project Presentation (pdf)">
<span class="none"></span>
Project Presentation (pdf)</a>
</li>
<li>
<a href="../general/SampleReport.html" title="Sample Report">
<span class="none"></span>
Sample Report</a>
</li>
<li class="active">
<a href="#"><span class="none"></span>How to Scan an ISO Image</a>
</li>
</ul>
</li>
<li>
<a href="../analyzers/index.html" title="File Type Analyzers">
<span class="icon-chevron-right"></span>
File Type Analyzers</a>
</li>
<li>
<a href="../modules.html" title="Modules">
<span class="icon-chevron-right"></span>
Modules</a>
</li>
<li class="nav-header">Project Documentation</li>
<li>
<a href="../project-info.html" title="Project Information">
<span class="icon-chevron-right"></span>
Project Information</a>
</li>
<li>
<a href="../project-reports.html" title="Project Reports">
<span class="icon-chevron-right"></span>
Project Reports</a>
</li>
</ul>
<hr />
<div id="poweredBy">
<script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
<div class="g-plusone" data-href="https://github.com/jeremylong/DependencyCheck.git" data-size="tall" ></div>
<div class="clear"></div>
<div class="clear"></div>
<div id="twitter">
<a href="https://twitter.com/ctxt" class="twitter-follow-button" data-show-count="true" data-align="left" data-size="medium" data-show-screen-name="true" data-lang="en">Follow ctxt</a>
<script type="text/javascript">!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script>
</div>
<div class="clear"></div>
<div class="clear"></div>
<a href="http://maven.apache.org/" title="Maven" class="builtBy">
<img class="builtBy" alt="built with maven" src="http://jeremylong.github.io/DependencyCheck/images/logos/maven-feather.png" />
</a>
<a href="http://www.jetbrains.com/idea/" title="IntelliJ" class="builtBy">
<img class="builtBy" alt="developed using" src="http://jeremylong.github.io/DependencyCheck/images/logos/logo_intellij_idea.png" width="170px" />
</a>
<a href="http://www.cloudbees.com/" title="Cloudbees" class="builtBy">
<img class="builtBy" alt="built on cloudbees" src="http://jeremylong.github.io/DependencyCheck/images/logos/Button-Built-on-CB-1.png" />
</a>
</div>
</div>
</div>
<div id="bodyColumn" class="span10" >
<h1>How to Mount ISO Files for Scanning</h1>
<p>Dependency-Check can be used as one of your tools for vetting software distributed via an <a class="externalLink" href="https://en.wikipedia.org/wiki/ISO_image">ISO image</a>. (See <a href="../analyzers/">File Type Analyzers</a> for a list of what types of artifacts Dependency-Check is capable of scanning.) These disk image files are not a standard archive format, however. Tools must be used that can interpret the contained file system. As will be shown below, Linux, Mac OS X, and recent versions of Windows can be used to mount the image&#x2019;s file system, which can then be scanned by Dependency-Check.</p>
<p>ISO images are named for the fact that they nearly always contain one of a pair of international file system standards published by <a class="externalLink" href="http://www.iso.org/">ISO</a>: <a class="externalLink" href="https://en.wikipedia.org/wiki/ISO_9660">ISO 9660</a> and ISO/IEC 13346, a.k.a. <a class="externalLink" href="https://en.wikipedia.org/wiki/Universal_Disk_Format">UDF</a>. Other types of disk images (e.g., <a class="externalLink" href="https://en.wikipedia.org/wiki/VHD_%28file_format%29">VHD</a>) are outside the scope of this article, though the ideas presented here may likely be succesfully applied.</p>
<div class="section">
<h2><a name="Linux"></a>Linux</h2>
<p>Assume you&#x2019;ve downloaded an ISO image called <tt>foo.iso</tt>, and you want to mount it at /mnt/foo. (Why /mnt? See the <a class="externalLink" href="http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s12.html">Filesystem Hierarchy Standard</a>.) First make sure that the mount point exists using <tt>mkdir /mnt/foo</tt>. Then, the <a class="externalLink" href="http://linux.die.net/man/8/mount">mount</a> command <i>must be run with root privileges</i>. On Debian and Ubuntu Linux, this is accomplished by prefacing the command with <tt>sudo</tt>.</p>
<div class="source">
<div class="source"><pre class="prettyprint linenums">$ sudo mount -o loop foo.iso /mnt/foo
</pre></div></div>
<p>Next, you can use Dependency-Check&#x2019;s <a href="dependency-check-cli/">command line tool</a> to scan the mount point. When you are finished, run the <a class="externalLink" href="http://linux.die.net/man/8/umount">umount</a> command with root privileges:</p>
<div class="source">
<div class="source"><pre class="prettyprint linenums">$ sudo umount -d /mnt/foo
</pre></div></div>
<p>This will unmount the file system, and detach the loop device.</p></div>
<div class="section">
<h2><a name="Mac_OS_X"></a>Mac OS X</h2>
<div class="section">
<h3><a name="Using_the_GUI"></a>Using the GUI</h3>
<p>Simply double-click on the image file in Mac OS X Finder.</p></div>
<div class="section">
<h3><a name="Using_a_Terminal_Window"></a>Using a Terminal Window</h3>
<p>Use the <a class="externalLink" href="https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/hdiutil.1.html">hdiutil</a> command.</p>
<div class="source">
<div class="source"><pre class="prettyprint linenums">$ hdiutil attach foo.iso
</pre></div></div>
<p>The output will show the <tt>/dev</tt> entry assigned as well as the mount point, which is where you may now read the files in the image&#x2019;s file system.</p>
<p>To detach:</p>
<div class="source">
<div class="source"><pre class="prettyprint linenums">$ hdiutil detach foo.iso
</pre></div></div></div></div>
<div class="section">
<h2><a name="Windows"></a>Windows</h2>
<p>Windows 8 and later versions support mounting ISO images as a virtual drive.</p>
<div class="section">
<h3><a name="Using_the_GUI"></a>Using the GUI</h3>
<ol style="list-style-type: decimal">
<li>In <i>File Explorer</i>, right-click on &#x201c;foo.iso&#x201d;.</li>
<li>Select &#x201c;Mount&#x201d;</li>
</ol>
<p>File Explorer then redirects to showing the files on your virtual drive. You can then use the <a href="dependency-check-cli/">command line tool</a> to scan the virtual drive. When finished, &#x201c;Windows-E&#x201d; will open File Explorer showing the various drives on your computer. To eject the virtual drive:</p>
<ol style="list-style-type: decimal">
<li>Right-click on the virtual drive.</li>
<li>Select &#x201c;Eject&#x201d;</li>
</ol></div>
<div class="section">
<h3><a name="Using_PowerShell"></a>Using PowerShell</h3>
<p>To mount, use the <a class="externalLink" href="https://technet.microsoft.com/en-us/%5Clibrary/Hh848706%28v=WPS.630%29.aspx">Mount-DiskImage</a> cmdlet:</p>
<div class="source">
<div class="source"><pre class="prettyprint linenums">$ Mount-DiskImage -ImagePath C:\Full\Path\to\foo.iso
</pre></div></div>
<p>To view all drives (and find your virtual drive), use the <a class="externalLink" href="https://technet.microsoft.com/en-us/library/Hh849796.aspx">Get-PSDrive</a> cmdlet:</p>
<div class="source">
<div class="source"><pre class="prettyprint linenums">$ Get-PSDrive -PSProvider 'FileSystem'
</pre></div></div>
<p>To dismount, use the <a class="externalLink" href="https://technet.microsoft.com/en-us/library/hh848693%28v=wps.630%29.aspx">Dismount-DiskImage</a> cmdlet:</p>
<div class="source">
<div class="source"><pre class="prettyprint linenums">$ Dismount-DiskImage -ImagePath C:\Full\Path\to\file.iso
</pre></div></div></div>
<div class="section">
<h3><a name="Windows_7"></a>Windows 7</h3>
<p>Third-party tools exist that can be used to mount ISO images. Without such tools, it is still possible to burn the ISO image to physical media, and scan the media:</p>
<ol style="list-style-type: decimal">
<li>Right-click on &#x201c;foo.iso&#x201d;</li>
<li>Select &#x201c;Windows Disc Image Burner&#x201d;</li>
<li>Follow the instructions to burn the image.</li>
</ol></div>
<div class="section">
<h3><a name="Windows_Vista"></a>Windows Vista</h3>
<p>Just as with Windows 7, you will need a third-party tool to mount an ISO image. You will also need a third-party tool to burn the image to media. Many machines are shipped with such a tool included.</p></div></div>
</div>
</div>
</div>
<hr/>
<footer>
<div class="container-fluid">
<div class="row-fluid">
<p >Copyright &copy; 2012&#x2013;2015
<a href="http://www.owasp.org">OWASP</a>.
All rights reserved.
</p>
</div>
</div>
</footer>
</body>
</html>

81
general/suppression.html
View File

@@ -1,21 +1,21 @@
<!DOCTYPE html>
<!--
| Generated by Apache Maven Doxia at 2015-08-04
| Rendered using Apache Maven Fluido Skin 1.3.1
| Generated by Apache Maven Doxia at 2015-09-20
| Rendered using Apache Maven Fluido Skin 1.4
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="Date-Revision-yyyymmdd" content="20150804" />
<meta name="Date-Revision-yyyymmdd" content="20150920" />
<meta http-equiv="Content-Language" content="en" />
<title>dependency-check - Suppressing False Positives</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.3.1.min.css" />
<title>dependency-check &#x2013; Suppressing False Positives</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.4.min.css" />
<link rel="stylesheet" href="../css/site.css" />
<link rel="stylesheet" href="../css/print.css" media="print" />
<script type="text/javascript" src="../js/apache-maven-fluido-1.3.1.min.js"></script>
<script type="text/javascript" src="../js/apache-maven-fluido-1.4.min.js"></script>
@@ -29,7 +29,7 @@
<a href="http://github.com/jeremylong/DependencyCheck">
<a href="https://github.com/jeremylong/DependencyCheck">
<img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
src="https://s3.amazonaws.com/github/ribbons/forkme_right_gray_6d6d6d.png"
alt="Fork me on GitHub">
@@ -62,9 +62,9 @@
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2015-08-04</li>
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2015-09-20</li>
<li id="projectVersion" class="pull-right">
Version: 1.3.0
Version: 1.3.1
</li>
</ul>
@@ -72,97 +72,111 @@
<div class="row-fluid">
<div id="leftColumn" class="span3">
<div id="leftColumn" class="span2">
<div class="well sidebar-nav">
<ul class="nav nav-list">
<li class="nav-header">OWASP dependency-check</li>
<li>
<a href="../index.html" title="General">
<i class="icon-chevron-down"></i>
<span class="icon-chevron-down"></span>
General</a>
<ul class="nav nav-list">
<li>
<a href="../general/internals.html" title="How it Works">
<i class="none"></i>
<span class="none"></span>
How it Works</a>
</li>
<li>
<a href="../general/thereport.html" title="Reading the Report">
<i class="none"></i>
<span class="none"></span>
Reading the Report</a>
</li>
<li class="active">
<a href="#"><i class="none"></i>False Positives</a>
<a href="#"><span class="none"></span>False Positives</a>
</li>
<li>
<a href="../data/index.html" title="Internet Access Required">
<i class="icon-chevron-right"></i>
<span class="icon-chevron-right"></span>
Internet Access Required</a>
</li>
<li>
<a href="../related.html" title="Related Work">
<i class="none"></i>
<span class="none"></span>
Related Work</a>
</li>
<li>
<a href="../general/dependency-check.pptx" title="Project Presentation (pptx)">
<i class="none"></i>
<span class="none"></span>
Project Presentation (pptx)</a>
</li>
<li>
<a href="../general/dependency-check.pdf" title="Project Presentation (pdf)">
<i class="none"></i>
<span class="none"></span>
Project Presentation (pdf)</a>
</li>
<li>
<a href="../general/SampleReport.html" title="Sample Report">
<i class="none"></i>
<span class="none"></span>
Sample Report</a>
</li>
<li>
<a href="../general/scan_iso.html" title="How to Scan an ISO Image">
<span class="none"></span>
How to Scan an ISO Image</a>
</li>
</ul>
</li>
<li>
<a href="../analyzers/index.html" title="File Type Analyzers">
<i class="icon-chevron-right"></i>
<span class="icon-chevron-right"></span>
File Type Analyzers</a>
</li>
<li>
<a href="../modules.html" title="Modules">
<i class="icon-chevron-right"></i>
<span class="icon-chevron-right"></span>
Modules</a>
</li>
<li class="nav-header">Project Documentation</li>
<li>
<a href="../project-info.html" title="Project Information">
<i class="icon-chevron-right"></i>
<span class="icon-chevron-right"></span>
Project Information</a>
</li>
<li>
<a href="../project-reports.html" title="Project Reports">
<span class="icon-chevron-right"></span>
Project Reports</a>
</li>
</ul>
@@ -203,14 +217,14 @@
</div>
<div id="bodyColumn" class="span9" >
<div id="bodyColumn" class="span10" >
<h1>Suppressing False Positives</h1>
<p>Due to how dependency-check identifies libraries false positives may occur (a CPE was identified that is incorrect). Suppressing these false positives is fairly easy using the HTML report. In the report next to each CPE identified (and on CVE entries) there is a suppress button. Clicking the suppression button will create a dialogue box which you can simple hit Control-C to copy the XML that you would place into a suppression XML file. If this is the first time you are creating the suppression file you should click the &#x201c;Complete XML Doc&#x201d; button on the top of the dialogue box to add the necessary schema elements.</p>
<p>A sample suppression file would look like:</p>
<div class="source">
<pre>&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
<div class="source"><pre class="prettyprint linenums">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
&lt;suppressions xmlns=&quot;https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression&quot;&gt;
&lt;suppress&gt;
&lt;notes&gt;&lt;![CDATA[
@@ -220,12 +234,12 @@
&lt;cpe&gt;cpe:/a:apache:struts:2.0.0&lt;/cpe&gt;
&lt;/suppress&gt;
&lt;/suppressions&gt;
</pre></div>
</pre></div></div>
<p>The above XML file will suppress the cpe:/a:apache:struts:2.0.0 from any file with the a matching SHA1 hash.</p>
<p>The following shows some other ways to suppress individual findings. Note the ways to select files using either the sha1 hash or the filePath (the filePath can also be a regex). Additionally, there are several things that can be suppressed - individual CPEs, individual CVEs, or all CVE entries below a specified CVSS score. The most common would be suppressing CPEs based off of SHA1 hashes or filePath (regexes) - these entries can be generated using the HTML version of the report. The other common scenario would be to ignore all CVEs below a certain CVSS threshold.</p>
<div class="source">
<pre>&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
<div class="source"><pre class="prettyprint linenums">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
&lt;suppressions
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xmlns='https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression'
@@ -274,7 +288,7 @@
&lt;cpe&gt;cpe:/a:mod_security:mod_security&lt;/cpe&gt;
&lt;/suppress&gt;
&lt;/suppressions&gt;
</pre></div>
</pre></div></div>
<p>The full schema for suppression files can be found here: <a class="externalLink" href="https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/schema/suppression.xsd" title="Suppression Schema">suppression.xsd</a></p>
<p>Please see the appropriate configuration option in each interfaces configuration guide:</p>
@@ -297,15 +311,14 @@
<footer>
<div class="container-fluid">
<div class="row-fluid">
<p >Copyright &copy; 2012&#x2013;2015
<p >Copyright &copy; 2012&#x2013;2015
<a href="http://www.owasp.org">OWASP</a>.
All rights reserved.
</p>
</div>
</div>
</div>
</footer>
</body>

73
general/thereport.html
View File

@@ -1,21 +1,21 @@
<!DOCTYPE html>
<!--
| Generated by Apache Maven Doxia at 2015-08-04
| Rendered using Apache Maven Fluido Skin 1.3.1
| Generated by Apache Maven Doxia at 2015-09-20
| Rendered using Apache Maven Fluido Skin 1.4
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="Date-Revision-yyyymmdd" content="20150804" />
<meta name="Date-Revision-yyyymmdd" content="20150920" />
<meta http-equiv="Content-Language" content="en" />
<title>dependency-check - How To Read The Reports</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.3.1.min.css" />
<title>dependency-check &#x2013; How To Read The Reports</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.4.min.css" />
<link rel="stylesheet" href="../css/site.css" />
<link rel="stylesheet" href="../css/print.css" media="print" />
<script type="text/javascript" src="../js/apache-maven-fluido-1.3.1.min.js"></script>
<script type="text/javascript" src="../js/apache-maven-fluido-1.4.min.js"></script>
@@ -29,7 +29,7 @@
<a href="http://github.com/jeremylong/DependencyCheck">
<a href="https://github.com/jeremylong/DependencyCheck">
<img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
src="https://s3.amazonaws.com/github/ribbons/forkme_right_gray_6d6d6d.png"
alt="Fork me on GitHub">
@@ -62,9 +62,9 @@
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2015-08-04</li>
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2015-09-20</li>
<li id="projectVersion" class="pull-right">
Version: 1.3.0
Version: 1.3.1
</li>
</ul>
@@ -72,97 +72,111 @@
<div class="row-fluid">
<div id="leftColumn" class="span3">
<div id="leftColumn" class="span2">
<div class="well sidebar-nav">
<ul class="nav nav-list">
<li class="nav-header">OWASP dependency-check</li>
<li>
<a href="../index.html" title="General">
<i class="icon-chevron-down"></i>
<span class="icon-chevron-down"></span>
General</a>
<ul class="nav nav-list">
<li>
<a href="../general/internals.html" title="How it Works">
<i class="none"></i>
<span class="none"></span>
How it Works</a>
</li>
<li class="active">
<a href="#"><i class="none"></i>Reading the Report</a>
<a href="#"><span class="none"></span>Reading the Report</a>
</li>
<li>
<a href="../general/suppression.html" title="False Positives">
<i class="none"></i>
<span class="none"></span>
False Positives</a>
</li>
<li>
<a href="../data/index.html" title="Internet Access Required">
<i class="icon-chevron-right"></i>
<span class="icon-chevron-right"></span>
Internet Access Required</a>
</li>
<li>
<a href="../related.html" title="Related Work">
<i class="none"></i>
<span class="none"></span>
Related Work</a>
</li>
<li>
<a href="../general/dependency-check.pptx" title="Project Presentation (pptx)">
<i class="none"></i>
<span class="none"></span>
Project Presentation (pptx)</a>
</li>
<li>
<a href="../general/dependency-check.pdf" title="Project Presentation (pdf)">
<i class="none"></i>
<span class="none"></span>
Project Presentation (pdf)</a>
</li>
<li>
<a href="../general/SampleReport.html" title="Sample Report">
<i class="none"></i>
<span class="none"></span>
Sample Report</a>
</li>
<li>
<a href="../general/scan_iso.html" title="How to Scan an ISO Image">
<span class="none"></span>
How to Scan an ISO Image</a>
</li>
</ul>
</li>
<li>
<a href="../analyzers/index.html" title="File Type Analyzers">
<i class="icon-chevron-right"></i>
<span class="icon-chevron-right"></span>
File Type Analyzers</a>
</li>
<li>
<a href="../modules.html" title="Modules">
<i class="icon-chevron-right"></i>
<span class="icon-chevron-right"></span>
Modules</a>
</li>
<li class="nav-header">Project Documentation</li>
<li>
<a href="../project-info.html" title="Project Information">
<i class="icon-chevron-right"></i>
<span class="icon-chevron-right"></span>
Project Information</a>
</li>
<li>
<a href="../project-reports.html" title="Project Reports">
<span class="icon-chevron-right"></span>
Project Reports</a>
</li>
</ul>
@@ -203,7 +217,7 @@
</div>
<div id="bodyColumn" class="span9" >
<div id="bodyColumn" class="span10" >
<h1>How To Read The Reports</h1>
<p>The top of the report contains a list of the identified vulnerable components. By clicking the &#x2018;Showing Vulnerable Dependencies&#x2019; link the list will be expanded to include all of the dependencies scanned. The table lists:</p>
@@ -239,15 +253,14 @@
<footer>
<div class="container-fluid">
<div class="row-fluid">
<p >Copyright &copy; 2012&#x2013;2015
<p >Copyright &copy; 2012&#x2013;2015
<a href="http://www.owasp.org">OWASP</a>.
All rights reserved.
</p>
</div>
</div>
</div>
</footer>
</body>