github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-21 08:39:24 +01:00
Code Issues Packages Projects Releases Wiki Activity

releasing updates from private repo

Browse Source 
Former-commit-id: 064139c68ad185358d6c74a77511d9ca36229633
This commit is contained in:
Jeremy Long
2013-07-31 10:21:31 -04:00
parent a036b9fc27
commit c3f9f16ce3
264 changed files with 13532 additions and 3394 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
src/site/markdown/index.md Normal file
View File

@@ -0,0 +1,31 @@
About
====================
Dependency-check is an open source solution the OWASP Top 10 2013 entry: [A9 -
Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities).
Dependency-check can currently be used to scan Java applications (and their
dependent libraries) to identify known vulnerable components.
The problem with using known vulnerable components was covered in a paper by Jeff
Williams and Arshan Dabirsiaghi titled, "[The Unfortunate Reality of Insecure
Libraries](https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure-Libraries.pdf)".
The gist of the paper is that we as a development community include third party
libraries in our applications that contain well known published vulnerabilities
\(such as those at the [National Vulnerability Database](http://web.nvd.nist.gov/view/vuln/search)\).
Dependency-check scans directories and files and if it contains an Analyzer that
can scan a particular file type then information from the file is collected. This
information is then used to identify the [Common Platform Enumeration](http://nvd.nist.gov/cpe.cfm) \(CPE\). If a
CPE is identified a listing of associated [Common Vulnerability and Exposure](http://cve.mitre.org/) \(CVE\)
entries are listed in a report.
**IMPORTANT NOTE**: Dependency-check automatically updates itself using the NVD Data Feeds hosted by
NIST. **The initial download of the data may take fifteen minutes
or more**, if you run the tool at least once every seven days only a small XML file
needs to be downloaded to keep the local copy of the data current.
Dependency-check's core analysis library is exposed in various forms:
- [Command Line Tool](dependency-check-cli/index.html)
- [Maven Plugin](dependency-check-maven/usage.html)
- [Ant Task](dependency-check-ant/installation.html)
- Jenkins Plugin