├── .gitignore ├── 404.html ├── Gemfile ├── _config.yml ├── assets └── images │ ├── OWASP-20th.jpeg │ └── README.md ├── index.md ├── info.md └── leaders.md /.gitignore: -------------------------------------------------------------------------------- 1 | __pycache__ 2 | env 3 | .vscode 4 | _site/ 5 | -------------------------------------------------------------------------------- /404.html: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: 404 - Not Found 4 | layout: col-generic 5 | 6 | --- 7 | 8 |
9 |

10 |

WHOA THAT PAGE CANNOT BE FOUND

11 |

Try the SEARCH function in the main navigation to find something. If you are looking for chapter information, please see Chapters for the correct chapter. For information about OWASP projects see Projects. For common attacks, vulnerabilities, or information about other community-led contributions see Contributed Content.

12 | 13 |
14 |

If all else fails you can search our historical site.

15 |
16 | -------------------------------------------------------------------------------- /Gemfile: -------------------------------------------------------------------------------- 1 | source 'https://rubygems.org' 2 | group :jekyll_plugins do 3 | gem "github-pages" 4 | end -------------------------------------------------------------------------------- /_config.yml: -------------------------------------------------------------------------------- 1 | remote_theme: "owasp/www--site-theme@main" 2 | plugins: 3 | - jekyll-include-cache-0.2.0 4 | code_user: dependency-check 5 | code_repo: DependencyCheck 6 | -------------------------------------------------------------------------------- /assets/images/OWASP-20th.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-dependency-check/ce1ee332edc043b8e9b1ea9c966054b3dd678816/assets/images/OWASP-20th.jpeg -------------------------------------------------------------------------------- /assets/images/README.md: -------------------------------------------------------------------------------- 1 | # placeholder 2 | 3 | Put images you wish to link to in this folder 4 | 5 | link would be in form /assets/images/ 6 | -------------------------------------------------------------------------------- /index.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | layout: col-sidebar 4 | title: OWASP Dependency-Check 5 | site_side: true 6 | tags: dependency-check sca cpe purl vulnerability 7 | level: 4 8 | type: tool 9 | pitch: Dependency-Check is a Software Composition Analysis (SCA) tool suite that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. 10 | 11 | --- 12 | 13 | Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project's dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries. 14 | 15 | ## Introduction 16 | 17 | The OWASP Top 10 2013 contains a new entry: A9-Using Components with Known Vulnerabilities. Dependency Check can currently be used to scan applications (and their dependent libraries) to identify any known vulnerable components. 18 | 19 | The problem with using known vulnerable components was described very well in a paper by Jeff Williams and Arshan Dabirsiaghi titled, "[Unfortunate Reality of Insecure Libraries](https://cdn2.hubspot.net/hub/203759/file-1100864196-pdf/docs/Contrast_-_Insecure_Libraries_2014.pdf)". The gist of the paper is that we as a development community include third party libraries in our applications that contain well known published vulnerabilities (such as those at the [National Vulnerability Database](https://nvd.nist.gov/vuln/search)). 20 | 21 | Dependency-check has a command line interface, a Maven plugin, an Ant task, and a Jenkins plugin. The core engine contains a series of analyzers that inspect the project dependencies, collect pieces of information about the dependencies (referred to as evidence within the tool). The evidence is then used to identify the [Common Platform Enumeration (CPE)](https://nvd.nist.gov/products/cpe) for the given dependency. If a CPE is identified, a listing of associated [Common Vulnerability and Exposure (CVE)](https://cve.mitre.org/) entries are listed in a report. Other 3rd party services and data sources such as the NPM Audit API, the OSS Index, RetireJS, and Bundler Audit are utilized for specific technologies. 22 | 23 | Dependency-check automatically updates itself using the [NVD Data Feeds](https://nvd.nist.gov/vuln/data-feeds) hosted by NIST. '''IMPORTANT NOTE:''' The initial download of the data may take ten minutes or more. If you run the tool at least once every seven days, only a small JSON file needs to be downloaded to keep the local copy of the data current. 24 | -------------------------------------------------------------------------------- /info.md: -------------------------------------------------------------------------------- 1 | ### Project Classification 2 | 3 | ![Flagship Project](/assets/images/common/owasp_level_flagship.svg "Flagship Project") 4 | 5 | ![Builders](/assets/images/common/owasp_builders.svg) 6 | ![Defenders](assets/images/common/owasp_defenders.svg) 7 | 8 | ![Tool Project](/assets/images/common/owasp_tool_project.svg) 9 | 10 | ### Downloads 11 | 12 | Version 12.1.0 13 | * [Command Line](https://github.com/dependency-check/DependencyCheck/releases/download/v12.1.0/dependency-check-12.1.0-release.zip) 14 | * [Ant Task](https://github.com/dependency-check/DependencyCheck/releases/download/v12.1.0/dependency-check-ant-12.1.0-release.zip) 15 | * [Maven Plugin](https://search.maven.org/#artifactdetails%7Corg.owasp%7Cdependency-check-maven%7C12.1.0%7Cmaven-plugin) 16 | * [Gradle Plugin](https://search.maven.org/#artifactdetails%7Corg.owasp%7Cdependency-check-gradle%7C12.1.0%7Cgradle-plugin) 17 | * [Mac Homebrew](https://brew.sh/):
brew update && brew install dependency-check 18 | 19 | Other Plugins 20 | * [Jenkins Plugin](https://plugins.jenkins.io/dependency-check-jenkins-plugin) 21 | * [SBT Plugin](https://search.maven.org/#search%7Cga%7C1%7Cg%3A%22net.vonbuchholtz%22%20a%3A%22sbt-dependency-check%22) 22 | * [lein-dependency-check](https://github.com/livingsocial/lein-dependency-check) 23 | 24 | ### Integrations 25 | 26 | * [SonarQube Plugin](https://github.com/SonarSecurityCommunity/dependency-check-sonar-plugin) 27 | * [Circle CI Orb](https://github.com/entur/owasp-orb) 28 | 29 | ### External Resources 30 | 31 | * [GitHub](https://github.com/dependency-check/DependencyCheck) 32 | * [Gradle Source](https://github.com/dependency-check/dependency-check-gradle) 33 | * [SBT Source](https://github.com/albuch/sbt-dependency-check) 34 | * [Jenkins Source](https://github.com/jenkinsci/dependency-check-plugin) 35 | * [Ohloh](https://www.ohloh.net/p/dependencycheck) 36 | * [Bintray](https://bintray.com/jeremy-long/owasp) 37 | 38 | ### Documentation 39 | 40 | * [Documentation (on GitHub)](https://dependency-check.github.io/DependencyCheck/) 41 | 42 | ### Support 43 | 44 | * [GitHub Issues](https://github.com/dependency-check/DependencyCheck/issues) 45 | 46 | ### Presentation 47 | 48 | * [dependency-check (PDF)](https://dependency-check.github.io/DependencyCheck/general/dependency-check.pdf) 49 | * [dependency-check (PPTX)](https://dependency-check.github.io/DependencyCheck/general/dependency-check.pptx) 50 | 51 | ### Licensing 52 | 53 | [Apache 2 License](https://www.apache.org/licenses/LICENSE-2.0) 54 | -------------------------------------------------------------------------------- /leaders.md: -------------------------------------------------------------------------------- 1 | ### Leaders 2 | * [Jeremy Long](mailto://jeremy.long@owasp.org) 3 | --------------------------------------------------------------------------------