mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-01-11 22:41:00 +01:00
278 lines
12 KiB
HTML
278 lines
12 KiB
HTML
<!DOCTYPE html>
|
|
<!--
|
|
| Generated by Apache Maven Doxia Site Renderer 1.7.1 at 2017-01-22
|
|
| Rendered using Apache Maven Fluido Skin 1.5
|
|
-->
|
|
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
|
|
<head>
|
|
<meta charset="UTF-8" />
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
|
<meta name="Date-Revision-yyyymmdd" content="20170122" />
|
|
<meta http-equiv="Content-Language" content="en" />
|
|
<title>dependency-check – About</title>
|
|
<link rel="stylesheet" href="./css/apache-maven-fluido-1.5.min.css" />
|
|
<link rel="stylesheet" href="./css/site.css" />
|
|
<link rel="stylesheet" href="./css/print.css" media="print" />
|
|
|
|
|
|
<script type="text/javascript" src="./js/apache-maven-fluido-1.5.min.js"></script>
|
|
|
|
<style type="text/css">
|
|
#bannerLeft { margin-top:-20px;margin-bottom:5px !important }
|
|
</style>
|
|
</head>
|
|
<body class="topBarDisabled">
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<a href="https://github.com/jeremylong/DependencyCheck">
|
|
<img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
|
|
src="https://s3.amazonaws.com/github/ribbons/forkme_right_gray_6d6d6d.png"
|
|
alt="Fork me on GitHub">
|
|
</a>
|
|
|
|
|
|
|
|
|
|
<div class="container-fluid">
|
|
<div id="banner">
|
|
<div class="pull-left">
|
|
<div id="bannerLeft">
|
|
<img src="images/dc.svg" alt="OWASP dependency-check"/>
|
|
</div>
|
|
</div>
|
|
<div class="pull-right"> </div>
|
|
<div class="clear"><hr/></div>
|
|
</div>
|
|
|
|
<div id="breadcrumbs">
|
|
<ul class="breadcrumb">
|
|
|
|
<li class="">
|
|
<a href="#" title="">
|
|
</a>
|
|
<span class="divider">/</span>
|
|
</li>
|
|
<li class="active ">About</li>
|
|
|
|
|
|
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2017-01-22</li>
|
|
<li id="projectVersion" class="pull-right">
|
|
Version: 1.4.5
|
|
</li>
|
|
|
|
</ul>
|
|
</div>
|
|
|
|
|
|
<div class="row-fluid">
|
|
<div id="leftColumn" class="span2">
|
|
<div class="well sidebar-nav">
|
|
|
|
<ul class="nav nav-list">
|
|
<li class="nav-header">OWASP dependency-check</li>
|
|
|
|
<li class="active">
|
|
|
|
<a href="#"><span class="icon-chevron-down"></span>General</a>
|
|
<ul class="nav nav-list">
|
|
|
|
<li>
|
|
|
|
<a href="general/internals.html" title="How it Works">
|
|
<span class="none"></span>
|
|
How it Works</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="general/thereport.html" title="Reading the Report">
|
|
<span class="none"></span>
|
|
Reading the Report</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="general/suppression.html" title="False Positives">
|
|
<span class="none"></span>
|
|
False Positives</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="general/hints.html" title="False Negatives">
|
|
<span class="none"></span>
|
|
False Negatives</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="data/index.html" title="Internet Access Required">
|
|
<span class="icon-chevron-right"></span>
|
|
Internet Access Required</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="related.html" title="Related Work">
|
|
<span class="none"></span>
|
|
Related Work</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="general/dependency-check.pptx" title="Project Presentation (pptx)">
|
|
<span class="none"></span>
|
|
Project Presentation (pptx)</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="general/dependency-check.pdf" title="Project Presentation (pdf)">
|
|
<span class="none"></span>
|
|
Project Presentation (pdf)</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="general/SampleReport.html" title="Sample Report">
|
|
<span class="none"></span>
|
|
Sample Report</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="general/scan_iso.html" title="How to Scan an ISO Image">
|
|
<span class="none"></span>
|
|
How to Scan an ISO Image</a>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="analyzers/index.html" title="File Type Analyzers">
|
|
<span class="icon-chevron-right"></span>
|
|
File Type Analyzers</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="modules.html" title="Modules">
|
|
<span class="icon-chevron-right"></span>
|
|
Modules</a>
|
|
</li>
|
|
<li class="nav-header">Project Documentation</li>
|
|
|
|
<li>
|
|
|
|
<a href="project-info.html" title="Project Information">
|
|
<span class="icon-chevron-right"></span>
|
|
Project Information</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="project-reports.html" title="Project Reports">
|
|
<span class="icon-chevron-right"></span>
|
|
Project Reports</a>
|
|
</li>
|
|
</ul>
|
|
|
|
|
|
<hr />
|
|
|
|
<div id="poweredBy">
|
|
|
|
<script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
|
|
|
|
|
|
<div class="g-plusone" data-href="https://github.com/jeremylong/DependencyCheck.git" data-size="tall" ></div>
|
|
|
|
<div class="clear"></div>
|
|
<div class="clear"></div>
|
|
|
|
|
|
|
|
<div id="twitter">
|
|
|
|
<a href="https://twitter.com/ctxt" class="twitter-follow-button" data-show-count="true" data-align="left" data-size="medium" data-show-screen-name="true" data-lang="en">Follow ctxt</a>
|
|
<script type="text/javascript">!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script>
|
|
|
|
</div>
|
|
<div class="clear"></div>
|
|
<div class="clear"></div>
|
|
<a href="http://maven.apache.org/" title="Maven" class="builtBy">
|
|
<img class="builtBy" alt="built with maven" src="http://jeremylong.github.io/DependencyCheck/images/logos/maven-feather.png" />
|
|
</a>
|
|
<a href="http://www.jetbrains.com/idea/" title="IntelliJ" class="builtBy">
|
|
<img class="builtBy" alt="developed using" src="http://jeremylong.github.io/DependencyCheck/images/logos/logo_intellij_idea.png" width="170px" />
|
|
</a>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
|
|
<div id="bodyColumn" class="span10" >
|
|
|
|
<h1>About</h1>
|
|
<p>OWASP dependency-check is an open source solution the OWASP Top 10 2013 entry: <a class="externalLink" href="https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities">A9 - Using Components with Known Vulnerabilities</a>. Dependency-check can currently be used to scan Java and .NET applications to identify the use of known vulnerable components. Experimental analyzers for Python, Ruby, PHP (composer), and Node.js applications; these are experimental due to the possible false positive and false negative rates. To use the experimental analyzers they must be specifically enabled via the appropriate <i>experimental</i> configuration. In addition, dependency-check has experimental analyzers that can be used to scan some C/C++ source code, including OpenSSL source code and projects that use <a class="externalLink" href="https://www.gnu.org/software/autoconf/">Autoconf</a> or <a class="externalLink" href="http://www.cmake.org/overview/">CMake</a>.</p>
|
|
<p>The problem with using known vulnerable components was covered in a paper by Jeff Williams and Arshan Dabirsiaghi titled, “<a class="externalLink" href="http://www1.contrastsecurity.com/the-unfortunate-reality-of-insecure-libraries?&__hssc=92971330.1.1412763139545&__hstc=92971330.5d71a97ce2c038f53e4109bfd029b71e.1412763139545.1412763139545.1412763139545.1&hsCtaTracking=7bbb964b-eac1-454d-9d5b-cc1089659590%7C816e01cf-4d75-449a-8691-bd0c6f9946a5">The Unfortunate Reality of Insecure Libraries</a>” (registration required). The gist of the paper is that we as a development community include third party libraries in our applications that contain well known published vulnerabilities (such as those at the <a class="externalLink" href="http://web.nvd.nist.gov/view/vuln/search">National Vulnerability Database</a>).</p>
|
|
<p>More information about dependency-check can be found here:</p>
|
|
|
|
<ul>
|
|
|
|
<li><a href="general/internals.html">How does dependency-check work</a></li>
|
|
|
|
<li><a href="general/thereport.html">How to read the report</a></li>
|
|
|
|
<li><a href="./mail-lists.html">The OWASP dependency-check mailing list</a></li>
|
|
</ul>
|
|
<p>OWASP dependency-check’s core analysis engine can be used as:</p>
|
|
|
|
<ul>
|
|
|
|
<li><a href="dependency-check-ant/index.html">Ant Task</a></li>
|
|
|
|
<li><a href="dependency-check-cli/index.html">Command Line Tool</a></li>
|
|
|
|
<li><a href="dependency-check-gradle/index.html">Gradle Plugin</a></li>
|
|
|
|
<li><a href="dependency-check-jenkins/index.html">Jenkins Plugin</a></li>
|
|
|
|
<li><a href="dependency-check-maven/index.html">Maven Plugin</a> - Maven 3.1 or newer required</li>
|
|
|
|
<li><a class="externalLink" href="https://github.com/albuch/sbt-dependency-check">SBT Plugin</a></li>
|
|
</ul>
|
|
<p>For help with dependency-check the following resource can be used:</p>
|
|
|
|
<ul>
|
|
|
|
<li>Post to the <a class="externalLink" href="https://groups.google.com/forum/#!forum/dependency-check">google group</a>: <a class="externalLink" href="mailto://dependency-check+subscribe@googlegroups.com">subscribe</a>, <a class="externalLink" href="mailto://dependency-check@googlegroups.com">post</a>,</li>
|
|
|
|
<li>Open a <a class="externalLink" href="https://github.com/jeremylong/DependencyCheck/issues">github issue</a></li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
<hr/>
|
|
|
|
<footer>
|
|
<div class="container-fluid">
|
|
<div class="row-fluid">
|
|
<p >Copyright © 2012–2017
|
|
<a href="http://www.owasp.org">OWASP</a>.
|
|
All rights reserved.
|
|
</p>
|
|
</div>
|
|
|
|
|
|
</div>
|
|
</footer>
|
|
</body>
|
|
</html>
|