The Open Web Application Security Project (OWASP), is an online community where we get free articles, methodologies, documentation tools, and other content related to Web Application Security.
Open source components have become an integral part of software development. The increasingly widespread use of open source components requires that developers take a more proactive approach to open source security management. They need to make sure throughout the development process that the software products that they are creating and maintaining don’t contain vulnerable components.
The OWASP Top 10 2013 contains a new entry: A9-Using Components with Known Vulnerabilities. Dependency-Check can currently be used to scan applications (and their dependent libraries) to identify any known vulnerable components.
Supported Programming Languages and Integrations
The OWASP Dependency-Check currently supports five different programming languages. Java and .NET are fully supported and additional experimental support is provided for Ruby, Node.js, and Python.
The OWASP’s tool also supports the Jenkins plugin, and can fail the build process, allowing you to make sure only approved code with no open source vulnerabilities is deployed to production.
Vulnerability Scanning
Scanning is the process of running the tool on the user’s code, to identify any vulnerable open source component. This is usually done by conducting a comparison between the user’s code and known open source vulnerabilities in the vulnerabilities database.
The OWASP Dependency-Check uses a variety of analyzers to build a list of Common Platform Enumeration (CPE) entries. CPE is a structured naming scheme, which includes a method for checking names against a system.
Reporting is extremely important when dealing with vulnerability management, since it provides all security and development teams with actionable insights, as well as giving stakeholders the metrics that they need. The OWASP Dependency-Check can support these needs and can generate reports and exports in a variety of formats: XML, CSV, JSON, and HTML.
OWASP Dependency-Check: Pros & Cons
| pros | cons |
| It’s free | No Dashboard |
| Multi reporting and export options | No overview report or report comparison |
| Easy to deploy and run | No vulnerability remediation |
| Lightweight |