1.6 KiB
About
OWASP dependency-check is an open source solution the OWASP Top 10 2013 entry: A9 - Using Components with Known Vulnerabilities. Dependency-check can currently be used to scan Java applications (and their dependent libraries) to identify known vulnerable components.
The problem with using known vulnerable components was covered in a paper by Jeff Williams and Arshan Dabirsiaghi titled, "The Unfortunate Reality of Insecure Libraries" (registration required). The gist of the paper is that we as a development community include third party libraries in our applications that contain well known published vulnerabilities (such as those at the National Vulnerability Database).
More information about dependency-check can be found here:
OWASP dependency-check's core analysis engine can be used as: