github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-02-24 03:15:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

documentation v1.3.1

Browse Source
This commit is contained in:
Jeremy Long
2015-09-20 07:41:29 -04:00
parent 4fd8873223
commit 191c5fae56
1456 changed files with 125936 additions and 63077 deletions
Download Patch File Download Diff File Expand all files Collapse all files

77
general/internals.html
View File

@@ -1,21 +1,21 @@
<!DOCTYPE html>
<!--
| Generated by Apache Maven Doxia at 2015-08-04
| Rendered using Apache Maven Fluido Skin 1.3.1
| Generated by Apache Maven Doxia at 2015-09-20
| Rendered using Apache Maven Fluido Skin 1.4
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="Date-Revision-yyyymmdd" content="20150804" />
<meta name="Date-Revision-yyyymmdd" content="20150920" />
<meta http-equiv="Content-Language" content="en" />
<title>dependency-check - How does dependency-check work?</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.3.1.min.css" />
<title>dependency-check &#x2013; How does dependency-check work?</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.4.min.css" />
<link rel="stylesheet" href="../css/site.css" />
<link rel="stylesheet" href="../css/print.css" media="print" />
<script type="text/javascript" src="../js/apache-maven-fluido-1.3.1.min.js"></script>
<script type="text/javascript" src="../js/apache-maven-fluido-1.4.min.js"></script>
@@ -29,7 +29,7 @@
<a href="http://github.com/jeremylong/DependencyCheck">
<a href="https://github.com/jeremylong/DependencyCheck">
<img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
src="https://s3.amazonaws.com/github/ribbons/forkme_right_gray_6d6d6d.png"
alt="Fork me on GitHub">
@@ -62,9 +62,9 @@
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2015-08-04</li>
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2015-09-20</li>
<li id="projectVersion" class="pull-right">
Version: 1.3.0
Version: 1.3.1
</li>
</ul>
@@ -72,97 +72,111 @@
<div class="row-fluid">
<div id="leftColumn" class="span3">
<div id="leftColumn" class="span2">
<div class="well sidebar-nav">
<ul class="nav nav-list">
<li class="nav-header">OWASP dependency-check</li>
<li>
<a href="../index.html" title="General">
<i class="icon-chevron-down"></i>
<span class="icon-chevron-down"></span>
General</a>
<ul class="nav nav-list">
<li class="active">
<a href="#"><i class="none"></i>How it Works</a>
<a href="#"><span class="none"></span>How it Works</a>
</li>
<li>
<a href="../general/thereport.html" title="Reading the Report">
<i class="none"></i>
<span class="none"></span>
Reading the Report</a>
</li>
<li>
<a href="../general/suppression.html" title="False Positives">
<i class="none"></i>
<span class="none"></span>
False Positives</a>
</li>
<li>
<a href="../data/index.html" title="Internet Access Required">
<i class="icon-chevron-right"></i>
<span class="icon-chevron-right"></span>
Internet Access Required</a>
</li>
<li>
<a href="../related.html" title="Related Work">
<i class="none"></i>
<span class="none"></span>
Related Work</a>
</li>
<li>
<a href="../general/dependency-check.pptx" title="Project Presentation (pptx)">
<i class="none"></i>
<span class="none"></span>
Project Presentation (pptx)</a>
</li>
<li>
<a href="../general/dependency-check.pdf" title="Project Presentation (pdf)">
<i class="none"></i>
<span class="none"></span>
Project Presentation (pdf)</a>
</li>
<li>
<a href="../general/SampleReport.html" title="Sample Report">
<i class="none"></i>
<span class="none"></span>
Sample Report</a>
</li>
<li>
<a href="../general/scan_iso.html" title="How to Scan an ISO Image">
<span class="none"></span>
How to Scan an ISO Image</a>
</li>
</ul>
</li>
<li>
<a href="../analyzers/index.html" title="File Type Analyzers">
<i class="icon-chevron-right"></i>
<span class="icon-chevron-right"></span>
File Type Analyzers</a>
</li>
<li>
<a href="../modules.html" title="Modules">
<i class="icon-chevron-right"></i>
<span class="icon-chevron-right"></span>
Modules</a>
</li>
<li class="nav-header">Project Documentation</li>
<li>
<a href="../project-info.html" title="Project Information">
<i class="icon-chevron-right"></i>
<span class="icon-chevron-right"></span>
Project Information</a>
</li>
<li>
<a href="../project-reports.html" title="Project Reports">
<span class="icon-chevron-right"></span>
Project Reports</a>
</li>
</ul>
@@ -203,20 +217,20 @@
</div>
<div id="bodyColumn" class="span9" >
<div id="bodyColumn" class="span10" >
<h1>How does dependency-check work?</h1>
<p>Dependency-check works by collecting information about the files it scans (using Analyzers). The information collected is called Evidence; there are three types of evidence collected: vendor, product, and version. For instance, the JarAnalyzer will collect information from the Manifest, pom.xml, and the package names within the JAR files scanned and it has heuristics to place the information from the various sources into one or more buckets of evidence.</p>
<p>Within the NVD CVE Data (schema can be found <a class="externalLink" href="http://nvd.nist.gov/schema/nvd-cve-feed_2.0.xsd">here</a>) each CVE Entry has a list of vulnerable software:</p>
<div class="source">
<pre> &lt;entry id=&quot;CVE-2012-5055&quot;&gt;
<div class="source"><pre class="prettyprint linenums"> &lt;entry id=&quot;CVE-2012-5055&quot;&gt;
...
&lt;vuln:vulnerable-software-list&gt;
&lt;vuln:product&gt;cpe:/a:vmware:springsource_spring_security:3.1.2&lt;/vuln:product&gt;
&lt;vuln:product&gt;cpe:/a:vmware:springsource_spring_security:2.0.4&lt;/vuln:product&gt;
&lt;vuln:product&gt;cpe:/a:vmware:springsource_spring_security:3.0.1&lt;/vuln:product&gt;
</pre></div>
</pre></div></div>
<p>These CPE entries are read &#x201c;cpe:/[Entry Type]:[Vendor]:[Product]:[Version]:[Revision]:&#x2026;&#x201d;. The CPE data is collected and stored in a <a class="externalLink" href="http://lucene.apache.org/">Lucene Index</a>. Dependency-check then use the Evidence collected and attempt to match an entry from the Lucene CPE Index. If found, the CPEAnalyzer will add an Identifier to the Dependency and subsequently to the report. Once a CPE has been identified the associated CVE entries are added to the report.</p>
<p>One important point about the evidence is that it is rated using different confidence levels - low, medium, high, and highest. These confidence levels are applied to each item of evidence. When the CPE is determined it is given a confidence level that is equal to the lowest level confidence level of evidence used during identification. If only highest confidence evidence was used in determining the CPE then the CPE would have a highest confidence level.</p>
<p>Because of the way dependency-check works both false positives and false negatives may exist. Please read <a href="thereport.html">How to read the report</a> to get a better understanding of sorting through the false positives and false negatives.</p>
@@ -230,15 +244,14 @@
<footer>
<div class="container-fluid">
<div class="row-fluid">
<p >Copyright &copy; 2012&#x2013;2015
<p >Copyright &copy; 2012&#x2013;2015
<a href="http://www.owasp.org">OWASP</a>.
All rights reserved.
</p>
</div>
</div>
</div>
</footer>
</body>