github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-13 15:23:40 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
gh-pages
DependencyCheck/data/cachenvd.html
Jeremy Long 615f6e3750 documentation version 1.4.5
2017-01-22 17:22:46 -05:00

334 lines
15 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE html>
<!--
| Generated by Apache Maven Doxia Site Renderer 1.7.1 at 2017-01-22
| Rendered using Apache Maven Fluido Skin 1.5
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="Date-Revision-yyyymmdd" content="20170122" />
<meta http-equiv="Content-Language" content="en" />
<title>dependency-check &#x2013; Snapshotting the NVD</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.5.min.css" />
<link rel="stylesheet" href="../css/site.css" />
<link rel="stylesheet" href="../css/print.css" media="print" />
<script type="text/javascript" src="../js/apache-maven-fluido-1.5.min.js"></script>
<style type="text/css">
#bannerLeft { margin-top:-20px;margin-bottom:5px !important }
</style>
</head>
<body class="topBarDisabled">
<a href="https://github.com/jeremylong/DependencyCheck">
<img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
src="https://s3.amazonaws.com/github/ribbons/forkme_right_gray_6d6d6d.png"
alt="Fork me on GitHub">
</a>
<div class="container-fluid">
<div id="banner">
<div class="pull-left">
<div id="bannerLeft">
<img src="../images/dc.svg" alt="OWASP dependency-check"/>
</div>
</div>
<div class="pull-right"> </div>
<div class="clear"><hr/></div>
</div>
<div id="breadcrumbs">
<ul class="breadcrumb">
<li class="">
<a href="../#" title="">
</a>
<span class="divider">/</span>
</li>
<li class="active ">Snapshotting the NVD</li>
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2017-01-22</li>
<li id="projectVersion" class="pull-right">
Version: 1.4.5
</li>
</ul>
</div>
<div class="row-fluid">
<div id="leftColumn" class="span2">
<div class="well sidebar-nav">
<ul class="nav nav-list">
<li class="nav-header">OWASP dependency-check</li>
<li>
<a href="../index.html" title="General">
<span class="icon-chevron-down"></span>
General</a>
<ul class="nav nav-list">
<li>
<a href="../general/internals.html" title="How it Works">
<span class="none"></span>
How it Works</a>
</li>
<li>
<a href="../general/thereport.html" title="Reading the Report">
<span class="none"></span>
Reading the Report</a>
</li>
<li>
<a href="../general/suppression.html" title="False Positives">
<span class="none"></span>
False Positives</a>
</li>
<li>
<a href="../general/hints.html" title="False Negatives">
<span class="none"></span>
False Negatives</a>
</li>
<li>
<a href="../data/index.html" title="Internet Access Required">
<span class="icon-chevron-down"></span>
Internet Access Required</a>
<ul class="nav nav-list">
<li>
<a href="../data/proxy.html" title="Proxy">
<span class="none"></span>
Proxy</a>
</li>
<li>
<a href="../data/mirrornvd.html" title="Mirroring NVD">
<span class="none"></span>
Mirroring NVD</a>
</li>
<li class="active">
<a href="#"><span class="none"></span>Snapshotting the NVD</a>
</li>
<li>
<a href="../data/database.html" title="Central DB">
<span class="none"></span>
Central DB</a>
</li>
</ul>
</li>
<li>
<a href="../related.html" title="Related Work">
<span class="none"></span>
Related Work</a>
</li>
<li>
<a href="../general/dependency-check.pptx" title="Project Presentation (pptx)">
<span class="none"></span>
Project Presentation (pptx)</a>
</li>
<li>
<a href="../general/dependency-check.pdf" title="Project Presentation (pdf)">
<span class="none"></span>
Project Presentation (pdf)</a>
</li>
<li>
<a href="../general/SampleReport.html" title="Sample Report">
<span class="none"></span>
Sample Report</a>
</li>
<li>
<a href="../general/scan_iso.html" title="How to Scan an ISO Image">
<span class="none"></span>
How to Scan an ISO Image</a>
</li>
</ul>
</li>
<li>
<a href="../analyzers/index.html" title="File Type Analyzers">
<span class="icon-chevron-right"></span>
File Type Analyzers</a>
</li>
<li>
<a href="../modules.html" title="Modules">
<span class="icon-chevron-right"></span>
Modules</a>
</li>
<li class="nav-header">Project Documentation</li>
<li>
<a href="../project-info.html" title="Project Information">
<span class="icon-chevron-right"></span>
Project Information</a>
</li>
<li>
<a href="../project-reports.html" title="Project Reports">
<span class="icon-chevron-right"></span>
Project Reports</a>
</li>
</ul>
<hr />
<div id="poweredBy">
<script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
<div class="g-plusone" data-href="https://github.com/jeremylong/DependencyCheck.git" data-size="tall" ></div>
<div class="clear"></div>
<div class="clear"></div>
<div id="twitter">
<a href="https://twitter.com/ctxt" class="twitter-follow-button" data-show-count="true" data-align="left" data-size="medium" data-show-screen-name="true" data-lang="en">Follow ctxt</a>
<script type="text/javascript">!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script>
</div>
<div class="clear"></div>
<div class="clear"></div>
<a href="http://maven.apache.org/" title="Maven" class="builtBy">
<img class="builtBy" alt="built with maven" src="http://jeremylong.github.io/DependencyCheck/images/logos/maven-feather.png" />
</a>
<a href="http://www.jetbrains.com/idea/" title="IntelliJ" class="builtBy">
<img class="builtBy" alt="developed using" src="http://jeremylong.github.io/DependencyCheck/images/logos/logo_intellij_idea.png" width="170px" />
</a>
</div>
</div>
</div>
<div id="bodyColumn" class="span10" >
<h1>Snapshotting the NVD</h1>
<p>The <a href="./mirrornvd.html">Mirroring the NVD from NIST</a> topic describes briefly how to use the <a class="externalLink" href="https://github.com/stevespringett/nist-data-mirror/">Nist-Data-Mirror</a> project to cache the NVD locally and run Dependency Check (D-C) against the local cache.</p>
<p>This topic goes into a bit more depth with the <a href="../dependency-check-cli/index.html">cli</a> client, focusing on the following use case.</p>
<ol style="list-style-type: decimal">
<li>You wish to have daily local snapshots of the NVD, so that</li>
<li>in order to compare later runs of D-C with earlier runs, you can compare &#x201c;apples with apples&#x201d;.</li>
</ol>
<p>In other words: It is sometimes desirable to run a comparison D-C analysis against the same NVD snapshot that an earlier D-C report used.</p>
<p>In the steps below, concrete examples will be given assuming an Ubuntu Linux system. Hopefully, enough explanation is provided that the steps can easily be translated to other systems.</p>
<div class="section">
<h2><a name="Build_Nist-Data-Mirror"></a>Build Nist-Data-Mirror</h2>
<ol style="list-style-type: decimal">
<li>Perform a &#x201c;git clone&#x201d; of <a class="externalLink" href="https://github.com/stevespringett/nist-data-mirror/">Nist-Data-Mirror</a></li>
<li>Install gradle, if necessary. See <a class="externalLink" href="http://gradle.org/gradle-download/">here</a> or your Linux distributions package management system. (e.g., <tt>sudo apt-get install gradle</tt>).</li>
<li>Follow the <a class="externalLink" href="https://github.com/stevespringett/nist-data-mirror/blob/master/README.md#user-content-build">build instructions</a>. You will be left with a build artifact called <tt>nist-data-mirror-1.0.0.jar</tt>.</li>
</ol></div>
<div class="section">
<h2><a name="Set_Up_a_Daily_NVD_Download_Job"></a>Set Up a Daily NVD Download Job</h2>
<p>On Linux, the way to do this using the <a class="externalLink" href="http://linux.die.net/man/8/cron">cron daemon</a>. &#x201c;Cron jobs&#x201d; are configured by invoking <a class="externalLink" href="http://linux.die.net/man/5/crontab">crontab</a>. For example, invoke <tt>crontab -e</tt> to add a line like the following to your crontab file:</p>
<div class="source">
<div class="source"><pre class="prettyprint linenums">4 5 * * * ~/.local/bin/nvd_download.sh ~/NVD ~/.local/jars
</pre></div></div>
<p>This would run a job on your system at 4:05 AM daily to run the <a href="general/nvd_download.sh">nvd_download.sh</a> shell script with the two given arguments. The script is simple:</p>
<div class="source">
<div class="source"><pre class="prettyprint linenums">#!/bin/sh
NVD_ROOT=$1/`date -I`
JAR_PATH=$2/nist-data-mirror-1.0.0.jar
java -jar $JAR_PATH $NVD_ROOT
rm $NVD_ROOT/*.xml # D-C works directly with .gz files anyway.
</pre></div></div>
<p>Nist-Data-Mirror will automatically create the directory, download the .xml.gz files, and extract the .xml files alongside them. Given the parameters in the cron example above, the new directory will be <tt>~/NVD/2015-08-03</tt> if executed on August 3<sup>rd</sup>, 2015. The download for 2015-08-03 pulled 47 MiB, and took up a total of 668 MiB after extracting from the compressed archive format. It turns out that D-C works directly with the .xml.gz files, so the above script preserves disk space by deleting the .xml files.</p></div>
<div class="section">
<h2><a name="Invoke_the_Command-Line_Using_a_Specific_Daily_Snapshot"></a>Invoke the Command-Line Using a Specific Daily Snapshot</h2>
<p>An example script named <a href="general/dep-check-date.sh">dep-check-date.sh</a> is shown below, which facilitates a D-C scan against an arbitrary NVD snapshot:</p>
<div class="source">
<div class="source"><pre class="prettyprint linenums">#!/bin/sh
CLI_LOCATION=~/.local/dependency-check-1.2.11
CLI_SCRIPT=$CLI_LOCATION/bin/dependency-check.sh
NVD_PATH=$1/`date -I -d $2`
NVD=file://$NVD_PATH
shift 2 # We've used the first two params. The rest go to CLI_SCRIPT.
$CLI_SCRIPT --cveUrl20Base $NVD/nvdcve-2.0-%d.xml.gz \
--cveUrl12Base $NVD/nvdcve-%d.xml.gz \
--cveUrl20Modified $NVD/nvdcve-2.0-Modified.xml.gz \
--cveUrl12Modified $NVD/nvdcve-Modified.xml.gz \
--data $NVD_PATH $@
</pre></div></div>
<p>The script takes advantage of the <tt>date</tt> command&#x2019;s ability to parse a variety of date formats. The following invokation would successfully point to the <tt>~/NVD/2015-08-03</tt> folder.</p>
<div class="source">
<div class="source"><pre class="prettyprint linenums">$ ./dep-check-date.sh ~/NVD &quot;08/03/2015&quot; -app Foo -scan /path/to/Foo --out ~/DCreports/FooFollowup/
</pre></div></div>
<p>If today happened to be August 4th, 2015, <tt>&quot;yesterday&quot;</tt> also would have worked. Also notice the usage of the <tt>--data</tt> parameter. This places the H2 database file directly in the folder alongside the .xml.gz files. This is critical, so that D-C doesn&#x2019;t run against another version of the database, like the usual default in <tt>$CLI_LOCATION/data</tt>.</p></div>
</div>
</div>
</div>
<hr/>
<footer>
<div class="container-fluid">
<div class="row-fluid">
<p >Copyright &copy; 2012&#x2013;2017
<a href="http://www.owasp.org">OWASP</a>.
All rights reserved.
</p>
</div>
</div>
</footer>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink