Sunday, June 11, 2017

Identifying Vulnerable Software Components while Coding with OWASP Dependency Check Maven Plugin

When developing software, most of the time we need to use 3rd party components to achieve the required functionality. In such cases, we need to make sure that the external components we use in our project are free from known vulnerabilities [1]. Otherwise, no matter how secure is the code we write, still the software we write would be vulnerable due to a known vulnerability in an external component that we make use of.
In the article [2] I explained how to use OWASP Dependency Check [3] CLI tool [4] to analyze the external components for identifying known vulnerabilities. In there, we had to separately download the external libraries, put them in a folder and run the tool on the folder to analyze all the libraries in it which would finally give a report with the components with known vulnerabilities along with the reported CVEs.

However in practice, above approach does not scale as we would introduce new dependencies as and when we code. In such cases, the maven plugin [5] of OWASP Dependency Check does the job where every time we build the project, it would analyze all the external dependencies of the project and generate the vulnerability report. In this article I am explaining how to use this maven plugin for analyzing the project dependencies and identifying the reported vulnerabilities of them.

In the pom.xml file of your maven project, add the following plugin.

<build>

  <plugins>

     <plugin>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-maven</artifactId>
        <version>1.4.5</version>
        <executions>
           <execution>
              <goals>
                 <goal>check</goal>
              </goals>
           </execution>
        </executions>
     </plugin>

  </plugins>

</build>


Now you can build the project (mvn clean install) and it will generate the dependency check report in the target directory.

You can test the plugin by adding the following two dependencies to your project. There, the 3.1 version of commons-httpclient has known vulnerabilities which will be indicated in the vulnerability report. The 4.5.3 version of httpclient has no reported vulnerabilities and therefore it will not be indicated in the report.

<dependencies>

  <dependency>
     <groupId>commons-httpclient</groupId>
     <artifactId>commons-httpclient</artifactId>
     <version>3.1</version>
  </dependency>

  <dependency>
     <groupId>org.apache.httpcomponents</groupId>
     <artifactId>httpclient</artifactId>
     <version>4.5.3</version>
  </dependency>

</dependencies>




References



Tharindu Edirisinghe (a.k.a thariyarox)
Independent Security Researcher