What's a Dependency Check & What's the Purpose?
I think we can all agree that nowadays we heavily rely on open source and 3rd party libraries & frameworks. By doing so we leverage the knowledge of other professionals around the world and increase the time to market by not having to write everything from scratch by ourselves. In addition, we don't have to maintain these supporting libraries ourselves which again saves us a lot of time and effort.
While it sounds amazing to use publicly available code and it certainly does bring a ton of benefits, we have to take it with a tiny grain of salt. The reason is there's an inherent problem in using publicly available code: existing vulnerabilities in that code will also be included in our code. By doing so we inject their vulnerabilities into our application as well.
While usually open-source projects handle their vulnerabilities well and fix them in a timely manner, these vulnerabilities are most often made publicly available for everyone to read about before they are fixed. Meaning that exploiters have the knowledge about these vulnerabilities as well and can use them to penetrate our application's security. In most cases the vulnerabilities are neglectable, but if they are severe risks it becomes crucial to handle them quickly.
OWASP Dependency-Check
The Open Web Application Security Project (OWASP) is a non-profit organization working on improving the security of software (https://owasp.org/about/).
The Dependency-Check is one of their projects. It's a Software Composition Analysis (SCA) tool that scans projects for publicly disclosed vulnerabilities.
What Files / Languages Can be Scanned for Vulnerabilities?
Dependency-Check can scan a multitude of file types & languages:
Node.js, Python, Ruby Gemspec, Swift, OpenSSL, Nuspec, Nexus, Jar, CocoaPods, CMake, Central, Autoconf, Assembly, and Archive
How Does the Dependency-Check Work?
It scans the project for "evidence" which may lead to the identification of Dependencies using the Common Platform Enumeration (CPE). It basically acts as mapping and helps to identify the dependencies in our project. In addition to this Dependency-Check uses third-party services such as NPM Audit API, OSS Index, retireJS, and Bundler Audit as well.
Once Dependency-Check found the name of a dependency it checks the Common Vulnerabilities and Exposures (CVE) catalog if there are any existing vulnerabilities. the CVE program identifies, defines & catalogs publicly disclosed cybersecurity vulnerabilities.
Currently, there are ~170.000 vulnerabilities listed in CVE. CVE also allows for a manual search of vulnerabilities, simply by inputting the dependency name on their website (https://cve.mitre.org/cve/search_cve_list.html)
Thank you for reading so far! 😃
In the next part I'll show you how to add a Dockerfile to run a Dependency-Check on your existing project and also how to add the Dependency-Check as an automated step to your Jenkins Pipeline
Also if you like this article or find it interesting be sure to leave a like or share it with people who might be interested in the topic 😃 It would help me a lot.