mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-01-14 15:53:36 +01:00
279 lines
12 KiB
HTML
279 lines
12 KiB
HTML
<!DOCTYPE html>
|
|
<!--
|
|
| Generated by Apache Maven Doxia at 2014-11-16
|
|
| Rendered using Apache Maven Fluido Skin 1.3.1
|
|
-->
|
|
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
|
|
<head>
|
|
<meta charset="UTF-8" />
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
|
<meta name="Date-Revision-yyyymmdd" content="20141116" />
|
|
<meta http-equiv="Content-Language" content="en" />
|
|
<title>dependency-check - How To Read The Report</title>
|
|
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.1.min.css" />
|
|
<link rel="stylesheet" href="./css/site.css" />
|
|
<link rel="stylesheet" href="./css/print.css" media="print" />
|
|
|
|
|
|
<script type="text/javascript" src="./js/apache-maven-fluido-1.3.1.min.js"></script>
|
|
|
|
|
|
|
|
<style type="text/css">#bannerLeft { margin-top:50px !important }</style>
|
|
|
|
</head>
|
|
<body class="topBarDisabled">
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<a href="http://github.com/jeremylong/DependencyCheck">
|
|
<img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
|
|
src="https://s3.amazonaws.com/github/ribbons/forkme_right_gray_6d6d6d.png"
|
|
alt="Fork me on GitHub">
|
|
</a>
|
|
|
|
|
|
|
|
|
|
<div class="container-fluid">
|
|
<div id="banner">
|
|
<div class="pull-left">
|
|
<div id="bannerLeft">
|
|
<h2>dependency-check</h2>
|
|
</div>
|
|
</div>
|
|
<div class="pull-right"> </div>
|
|
<div class="clear"><hr/></div>
|
|
</div>
|
|
|
|
<div id="breadcrumbs">
|
|
<ul class="breadcrumb">
|
|
|
|
|
|
<li class="">
|
|
<a href="#" title="">
|
|
</a>
|
|
<span class="divider">/</span>
|
|
</li>
|
|
<li class="active ">How To Read The Report</li>
|
|
|
|
|
|
|
|
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2014-11-16</li>
|
|
<li id="projectVersion" class="pull-right">
|
|
Version: 1.2.6
|
|
</li>
|
|
|
|
</ul>
|
|
</div>
|
|
|
|
|
|
<div class="row-fluid">
|
|
<div id="leftColumn" class="span3">
|
|
<div class="well sidebar-nav">
|
|
|
|
|
|
<ul class="nav nav-list">
|
|
<li class="nav-header">Project Documentation</li>
|
|
|
|
<li>
|
|
|
|
<a href="project-info.html" title="Project Information">
|
|
<i class="icon-chevron-right"></i>
|
|
Project Information</a>
|
|
</li>
|
|
<li class="nav-header">General</li>
|
|
|
|
<li>
|
|
|
|
<a href="internals.html" title="How it Works">
|
|
<i class="none"></i>
|
|
How it Works</a>
|
|
</li>
|
|
|
|
<li class="active">
|
|
|
|
<a href="#"><i class="none"></i>Reading the Report</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="suppression.html" title="False Positives">
|
|
<i class="none"></i>
|
|
False Positives</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="dependency-check.pptx" title="Project Presentation (pptx)">
|
|
<i class="none"></i>
|
|
Project Presentation (pptx)</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="dependency-check.pdf" title="Project Presentation (pdf)">
|
|
<i class="none"></i>
|
|
Project Presentation (pdf)</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="SampleReport.html" title="Sample Report">
|
|
<i class="none"></i>
|
|
Sample Report</a>
|
|
</li>
|
|
<li class="nav-header">File Type Analyzers</li>
|
|
|
|
<li>
|
|
|
|
<a href="archive-analyzer.html" title="Archive Analyzer">
|
|
<i class="none"></i>
|
|
Archive Analyzer</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="jar-analyzer.html" title="Jar Analyzer">
|
|
<i class="none"></i>
|
|
Jar Analyzer</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="nexus-analyzer.html" title="Nexus Analyzer">
|
|
<i class="none"></i>
|
|
Nexus Analyzer</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="assembly-analyzer.html" title="Assembly Analyzer">
|
|
<i class="none"></i>
|
|
Assembly Analyzer</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="nuspec-analyzer.html" title="Nuspec Analyzer">
|
|
<i class="none"></i>
|
|
Nuspec Analyzer</a>
|
|
</li>
|
|
<li class="nav-header">Modules</li>
|
|
|
|
<li>
|
|
|
|
<a href="dependency-check-cli/installation.html" title="dependency-check-cli">
|
|
<i class="none"></i>
|
|
dependency-check-cli</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="dependency-check-ant/installation.html" title="dependency-check-ant">
|
|
<i class="none"></i>
|
|
dependency-check-ant</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="dependency-check-maven/usage.html" title="dependency-check-maven">
|
|
<i class="none"></i>
|
|
dependency-check-maven</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="dependency-check-jenkins/index.html" title="dependency-check-jenkins">
|
|
<i class="none"></i>
|
|
dependency-check-jenkins</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="dependency-check-core/index.html" title="dependency-check-core">
|
|
<i class="none"></i>
|
|
dependency-check-core</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="dependency-check-utils/index.html" title="dependency-check-utils">
|
|
<i class="none"></i>
|
|
dependency-check-utils</a>
|
|
</li>
|
|
</ul>
|
|
|
|
|
|
|
|
<hr />
|
|
|
|
<div id="poweredBy">
|
|
|
|
<script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
|
|
|
|
|
|
<div class="g-plusone" data-href="https://github.com/jeremylong/DependencyCheck.git" data-size="tall" ></div>
|
|
|
|
<div class="clear"></div>
|
|
<div class="clear"></div>
|
|
|
|
|
|
|
|
<div id="twitter">
|
|
|
|
<a href="https://twitter.com/ctxt" class="twitter-follow-button" data-show-count="true" data-align="left" data-size="medium" data-show-screen-name="true" data-lang="en">Follow ctxt</a>
|
|
<script type="text/javascript">!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script>
|
|
|
|
</div>
|
|
<div class="clear"></div>
|
|
<div class="clear"></div>
|
|
<a href="http://maven.apache.org/" title="Maven" class="builtBy">
|
|
<img class="builtBy" alt="built with maven" src="http://jeremylong.github.io/DependencyCheck/images/logos/maven-feather.png" />
|
|
</a>
|
|
<a href="http://www.jetbrains.com/idea/" title="IntelliJ" class="builtBy">
|
|
<img class="builtBy" alt="developed using" src="http://jeremylong.github.io/DependencyCheck/images/logos/logo_intellij_idea.png" width="170px" />
|
|
</a>
|
|
<a href="http://www.cloudbees.com/" title="Cloudbees" class="builtBy">
|
|
<img class="builtBy" alt="built on cloudbees" src="http://jeremylong.github.io/DependencyCheck/images/logos/Button-Built-on-CB-1.png" />
|
|
</a>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
|
|
<div id="bodyColumn" class="span9" >
|
|
|
|
<h1>How To Read The Report</h1>
|
|
<p>There is a lot of information contained in the HTML version of the report. When analyzing the results, the first thing one should do is determine if the CPE looks appropriate. Due to the way dependency-check works (see above) the report may contain false positives; these false positives are primarily on the CPE values. If the CPE value is wrong, this is usually obvious and one should use the suppression feature in the report to generate a suppression XML file that can be used on future scans. In addition to just looking at the CPE values in comparison to the name of the dependency - one may also consider the confidence of the CPE (as discussed in <a href="./internals.html">How does dependency-check work</a>). See the <a href="./suppression.html">Suppressing False Positives</a> page for more information on how to generate and use the suppression file.</p>
|
|
<p>Once you have weeded out any obvious false positives one can then look at the remaining entries and determine if any of the identified CVE entries are actually exploitable in your environment. Determining if a CVE is exploitable in your environment can be tricky - for this I do not currently have any tips other then upgrade the library if you can just to be safe. Note, some CVE entries can be fixed by either upgrading the library or changing configuration options.</p>
|
|
<p>One item that dependency-check flags that many may think is a false positive are old database drivers. One thing to consider about an old database driver is that the CPE/CVEs identified are usually for the server rather then the driver. However, the presence of an old driver may indicate that you have an older version of the server running in your environment and that server may need to be patched or upgraded. However, in some cases the old database drivers are actually unused, transitive dependencies from other dependencies.</p>
|
|
<h1>Regarding False Negatives</h1>
|
|
<p>As stated above, due to the nature of dependency-check there may be publicly disclosed vulnerabilities in the project dependencies scanned by dependency-check that are not identified. With the current version of dependency-check the HTML report has a table at the top that initially displays just the dependencies with identified vulnerabilities. This can be toggled to show all dependencies. If you examine the rows that do not have identified CPE/CVE entries you will see an “evidence count”. If the evidence count is extremely low (0-5 entries) then there may not have been enough information contained in the dependency to identify a CPE and associated CVEs.</p>
|
|
<p>It should be noted that while the false positives described above are bad, more concerning is that there may be vulnerabilities within the project dependencies that have yet to be publicly known. If one has the resources consider performing security assessments on the project dependencies.</p>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
<hr/>
|
|
|
|
<footer>
|
|
<div class="container-fluid">
|
|
<div class="row-fluid">
|
|
<p >Copyright © 2012–2014
|
|
<a href="http://www.owasp.org">OWASP</a>.
|
|
All rights reserved.
|
|
|
|
</p>
|
|
</div>
|
|
|
|
|
|
|
|
</div>
|
|
</footer>
|
|
</body>
|
|
</html>
|