Using components with known vulnerabilities is the ninth item described by the OWASP top ten and widely ignored item in application security.According to the article
"The Unfortunate Reality of Insecure Libraries"
most of us are not aware of that, our application contains well-known vulnerabilities.
Follow are some interesting finding of the article.
- 29.8 million (26%) of library downloads have known vulnerabilities
- Security libraries are slightly more likely to have a known vulnerability than frameworks
- Java apps are likely to include at least one vulnerable library
- The most downloaded vulnerable libraries were GWT, Xerces, Spring MVC, and Struts 1.x
So it is really important to inspect our dependencies very frequently against those known issues.
OWASP dependency checker is a tool which is used to identify vulnerabilities in Java. Since it comes with Maven, Gradle, Ant plugins it is really easy for a developer to inspect those vulnerabilities.
It also comes as Jenkins plugin so we can easily integrate and check periodically for vulnerabilities without human intervention.
Integrating OWASP Dependency checker for Maven.
Include following plugin in to your plugins section of the POM file.
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>2.0.0</version>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
Once plugin is configured we can invoke the plugin by executing following maven goal
mvn clean install
It will cross check your dependencies against the vulnerability data base and generate a report if anything suspicious available. But keep in mind there can be false positive results as well.
Example report:
[INFO] Analysis Complete (5 seconds)
[WARNING]
One or more dependencies were identified with known vulnerabilities in prject name:
jar-file-name-1.3.1.jar (jar-file-name:jar-file-name:x.x.x, cpe:/a:groupId:artifact_id:x.x.x) : CVE-2020-9999, CVE-2020-4444444
See the dependency-check report for more details.
[INFO]
