Sunday, November 19, 2017

Identify security vulnerabilities in software components using OWASP Dependency Check maven plugin

In the last post, we have discussed that it's very important to check potential security vulnerabilities in the 3rd party libraries/components we use while development. Today we would discuss, how to find security vulnerabilities in software components using OWASP Dependency Check maven plugin.

Table Of Content

1. Introduction
2. Scope
3. How to use OWASP Dependency Check utility
4. Action Plan for Security Vulnerabilities
5. Conclusion

1. Introduction

In order to achieve overall application security, one need to also check the 3rd party software libraries/components whether these are free from any known, publicly disclosed, vulnerabilities.
Here, we would use OWASP Dependency Check utility to analyze all the external dependencies of our project and generate the vulnerability report. The tool is the solution to the OWASP Top 10 2013 A9 - Using Components with Known Vulnerabilities.

Some Important Pointers Regarding this Utility:
  1.  Currently only Java and .NET are supported; additional experimental support has been added for Ruby, Node.js, Python, and limited support for C/C++ build systems (autoconf and cmake).
  2. One can use this utility either as a command line interface, a Maven plugin, an Ant task, and a Jenkins plugin.
  3. It automatically updates itself using the  National Vulnerability Database (NVD) Data Feeds hosted by NIST.

2. Scope

Here, we will only discuss about using OWASP Dependency Check utility as a Maven plugin. 

3. How to use OWASP Dependency Check utility

Follow the below steps:
  1. Make the below entry inside the plugins section of POM file (pom.xml) for the required project
  2. Build the Project using
    mvn clean install
  3. Check the target directory, dependency check report (dependency-check-report.html) will be generated in this directory
    Built the project after adding the required plugin entry and got the report. Just For Reference, adding some logs/screenshots:
    1. Console log to show series of analyzers that inspect our project dependencies
      [INFO] --- dependency-check-maven:2.1.1:check (default) @ pmd-demo ---
      [INFO] Checking for updates
      [INFO] Skipping NVD check since last check was within 4 hours.
      [INFO] Check for updates complete (18 ms)
      [INFO] Analysis Started
      [INFO] Finished Archive Analyzer (2 seconds)
      [INFO] Finished File Name Analyzer (0 seconds)
      [INFO] Finished Jar Analyzer (1 seconds)
      [INFO] Finished Central Analyzer (2 seconds)
      [INFO] Finished Dependency Merging Analyzer (0 seconds)
      [INFO] Finished Version Filter Analyzer (0 seconds)
      [INFO] Finished Hint Analyzer (0 seconds)
      [INFO] Created CPE Index (2 seconds)
      [INFO] Finished CPE Analyzer (2 seconds)
      [INFO] Finished False Positive Analyzer (0 seconds)
      [INFO] Finished Cpe Suppression Analyzer (0 seconds)
      [INFO] Finished NVD CVE Analyzer (0 seconds)
      [INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
      [INFO] Finished Dependency Bundling Analyzer (0 seconds)
      [INFO] Analysis Complete (11 seconds)
      One or more dependencies were identified with known vulnerabilities in pmd-demo:
      validation-api-1.1.0.Final.jar (cpe:/a:bean_project:bean:7.x-1.1::~~~drupal~~, javax.validation:validation-api:1.1.0.Final) : CVE-2013-4499
      tomcat-embed-core-8.5.20.jar (cpe:/a:apache:tomcat:8.5.20, cpe:/a:apache_software_foundation:tomcat:8.5.20, org.apache.tomcat.embed:tomcat-embed-core:8.5.20) : CVE-2017-12617
      See the dependency-check report for more details.
      [INFO] ------------------------------------------------------------------------
      [INFO] ------------------------------------------------------------------------
      [INFO] Total time: 26.728 s
    2. Dependency Check Report Screenshot

    3. Terminologies used in report
      CVE (Common Vulnerabilities and Exposures) - a unique identification number respective to known security vulnerability, in the format CVE-<reported year>-sequence number
      CVSS (The Common Vulnerability Scoring System) - a score, a scale from 0 to 10, The severity is decided based on the CVSS score.

4. Action Plan for Security Vulnerabilities 

One need to make sure that project is not using any external libraries that is not safe to use. If one finds such external 3rd party libraries/components then please follow the below action plan:
  1. When a known security vulnerability in a 3rd party library is identified then look for higher version of that library where the issue is fixed.
  2. If the latest version of a 3rd party library also have the known vulnerabilities, try using an alternative libraries which has no reported vulnerabilities.
  3. Situations where no option other than using a particular 3rd party library, but still that library has some known vulnerabilities then in such case, analyze each vulnerability and check if it has really any impact to our project or not. 

5. Conclusion 

Only writing secure code is not enough if vulnerable 3rd party libraries/components are used while development. If one uses OWASP Dependency Check utility as a Maven plugin then with every build one would know about any new vulnerabilities that are introduced after adding any new project dependencies. One could also make the dependency check report  generation as a part of site generation process (all reports in one place 😊 )

Thank you for reading this article. Feel free to connect with me for any queries and suggestion. See you soon. Happy Learning !! 😉

No comments:

Post a Comment