Knowledge
  • Read Me
  • Programming
    • ASP.NET
      • .NET Libraries
      • ASP.NET Core
        • Helper
          • Encryption
          • CSV Helper
          • String Helper
        • Logging
          • Simple Serilog
        • Middlewares
          • IP Restrictions
          • Request Throttling
          • Request Logging
        • Console
          • Command Line with arguments
        • JSON
      • ASP.NET Framework
      • Testing
        • Resources
        • xUnit.net
      • Naming Conventions
      • REST API Guidelines
    • Database
      • SQL Style Guide
      • MSSQL
        • Installation
          • Install MSSQL on MacOS M1 (ARM64)
        • Looping
        • Table Valued Functions
        • Session State
        • SQL Cheat Sheet
        • Export Pipe Delimited CSV With cmdshell
      • Redis
        • Redis Installation on Mac OS
        • Redis Installation on Docker
    • Java
      • AWS SDK - SSM
      • mTLS HTTP Connection
      • Read Resource Files
    • Javascript
      • Javascript Libraries
    • Python
    • OpenSSL
      • One Way SSL & Two Way SSL
      • Common OpenSSL Commands
      • Create Self-Signed Certificate
    • Misc
      • Git Commands
      • Windows Commands
      • PowerShell Commands
      • Vulnerabilities Dependency Check
      • Replace Filename Command
      • JSON Web Token (JWT)
      • Rabbit MQ Message-Broker
      • Pandoc Convert Document
  • DevOps
    • What is DevOps
    • CI & CD
    • Azure DevOps
  • Tools
    • Development Tools
Powered by GitBook
On this page
  • Setup
  • Usage On Windows
  • Reference

Was this helpful?

  1. Programming
  2. Misc

Vulnerabilities Dependency Check

PreviousPowerShell CommandsNextReplace Filename Command

Last updated 3 years ago

Was this helpful?

This demostrate how to use to scan publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.

Setup

  • Go to website

  • Scroll to the bottom and look for Command Line. Click on the link to download OWASP Dependency Check. It will download a ZIP file to the Downloads folder.

  • Unzip the downloaded zip file to your downloads location. e.g. C:\temp\dependency-check-6.1.5-release\

Usage On Windows

  • Launch the cmd command line window

  • From cmd, navigate to the bin file path. example:

    CD C:\temp\dependency-check-6.1.5-release\bin

  • Execute the scan command with the target file path and report output path. Assuming your project file path is C:\projects\hello-world

    dependency-check.bat -s "C:\projects\hello-world" -o "C:\temp\hello-world-dependency-check-report.html"

  • For Example

    C:\temp\dependency-check-6.1.5-release\bin>dependency-check.bat -s "C:\projects\hello-world" -o "C:\temp\hello-world-dependency-check-report.html"
[INFO] Checking for updates
[INFO] Skipping NVD check since last check was within 4 hours.
[INFO] Skipping RetireJS update since last update was within 24 hours.
[INFO] Check for updates complete (1066 ms)
[INFO] Analysis Started
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished MSBuild Project Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (2 seconds)
[INFO] Finished CPE Analyzer (3 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (3 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (7 seconds)
[INFO] Writing report to: C:\temp\hello-world-dependency-check-report.html

  • Open generated html report to analysing the vulnerabilities.

Reference

OWASP Dependency-Check
OWASP Dependency-Check
OWASP Dependency Check Documentation
Sample Report
Github