Tarin Gamberini

A software engineer and a passionate java programmer

Ready To Use Java Dependencies Vulnerability Checker

Most of the Free Software and OpenSource consists of both new written source code and reused 3rd parties “binary” code. When we write a new software we usually make it depend on lots of 3rd parties libraries (such dependent libraries are also called dependencies).

In order to give an idea about how complex and deep the dependencies graph could be let’s suppose our new software has a direct dependency on the 3rd party library rampart-core-1.3 (on the left in the figure above). Such library itself depends on other 3rd party libraries. This second level of 3rd party libraries, with respect of our new software, includes libraries called transitive dependency. Now think that our new software might have lots of direct dependencies and figure out how many 3rd part dependencies its consist of.

Thanks to some Ready To Use Java Static Code Analyzers we know how to discover some bugs in source code, but what about bugs and vulnerabilities in 3rd parties dependencies?

The paper “The Unfortunate Reality of Insecure Libraries” gives an idea about the quantitative impact of such vulnerabilities:

88% of code in today's applications come from libraries and frameworks.

113 million downloads analyzed for the 31 most popular Java frameworks/libs
show that 26% had known vulnerabilities.

Based on typical vulnerability rates, the vast majority of library flaws remain
undiscovered.

The more direct dependencies your software reuses the more complex the dependency graph will be. In general the more 3rd party dependencies your software reuses the higher is the vulnerability risk.

Fortunately exists a ready to use dependency vulnerabilities checker that you can’t miss to know!

OWASP Dependency-Check to the Rescue

OWASP Dependency-Check is a software that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities.

The OWASP Dependency-Check project is extremely mature and the dependency checker is available as:

  • Command Line
  • Mac Homebrew
  • Ant Task
  • Maven Plugin
  • Jenkins Plugin
  • SonarQube Plugin

so you can easily integrate it in your software build process.

OWASP Dependency-Check inspect your software dependencies collecting evidences about them. Such evidences are used to identify the Common Platform Enumeration (CPE) for each dependency. If a CPE is identified, a listing of associated Common Vulnerability and Exposure (CVE) entries are listed in a report.

For example because rampart-core-1.3 reuses commons-collections-3.1.jar OWASP Dependency-Check maps collected evidences on the latter to the CVE-2015-6420 vulnerability.

OWASP Dependency-Check IDE Integration

At the moment OWASP Dependency-Check isn’t available as IDE plugin, but it can be easily integrated in your build process for example by using the dependency-check-maven plugin. You may configure it to generate a web site report:

pom.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
<project>
    ...
    <reporting>
        <plugins>
            <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>1.3.4</version>
            </plugin>
        </plugins>
    </reporting>
    ...
<project>

If you run mvn clean site you get a list of affected dependencies:

For each dependency you get various useful vulnerability metrics like Highest Severity (High, Medium, …), CPE Confidence (HIGHEST, …, LOWEST). You get also a vulnerability detail (for example looking at commons-collections-3.1.jar):

Dependency-Check automatically updates itself using the NVD Data Feeds hosted by NIST, so the first check takes long time as you can see from the following site generation log:

$ mvn clean site
...
[INFO] Checking for updates
[INFO] NVD CVE requires several updates; this could take a couple of minutes.
[INFO] Download Started for NVD CVE - 2002
[INFO] Download Started for NVD CVE - 2003
[INFO] Download Started for NVD CVE - 2004
[INFO] Download Complete for NVD CVE - 2003  (1638 ms)
[INFO] Download Started for NVD CVE - 2005
[INFO] Processing Started for NVD CVE - 2003
[INFO] Download Complete for NVD CVE - 2002  (2324 ms)
[INFO] Download Started for NVD CVE - 2006
[INFO] Download Complete for NVD CVE - 2005  (1700 ms)
[INFO] Download Started for NVD CVE - 2007
[INFO] Download Complete for NVD CVE - 2006  (1903 ms)
[INFO] Download Started for NVD CVE - 2008
[INFO] Download Complete for NVD CVE - 2004  (5741 ms)
[INFO] Download Started for NVD CVE - 2009
[INFO] Download Complete for NVD CVE - 2008  (1982 ms)
[INFO] Download Started for NVD CVE - 2010
[INFO] Download Complete for NVD CVE - 2007  (3541 ms)
[INFO] Download Started for NVD CVE - 2011
[INFO] Processing Complete for NVD CVE - 2003  (5273 ms)
[INFO] Processing Started for NVD CVE - 2002
[INFO] Download Complete for NVD CVE - 2010  (3603 ms)
[INFO] Download Started for NVD CVE - 2012
[INFO] Processing Complete for NVD CVE - 2002  (4259 ms)
[INFO] Processing Started for NVD CVE - 2005
[INFO] Download Complete for NVD CVE - 2011  (4368 ms)
[INFO] Download Started for NVD CVE - 2013
[INFO] Download Complete for NVD CVE - 2009  (6302 ms)
[INFO] Download Started for NVD CVE - 2014
[INFO] Download Complete for NVD CVE - 2012  (2574 ms)
[INFO] Download Started for NVD CVE - 2015
[INFO] Download Complete for NVD CVE - 2013  (2356 ms)
[INFO] Download Started for NVD CVE - 2016
[INFO] Download Complete for NVD CVE - 2016  (1014 ms)
[INFO] Download Started for NVD CVE - Modified
[INFO] Download Complete for NVD CVE - 2014  (2668 ms)
[INFO] Download Complete for NVD CVE - Modified  (593 ms)
[INFO] Processing Complete for NVD CVE - 2005  (4118 ms)
[INFO] Processing Started for NVD CVE - 2006
[INFO] Download Complete for NVD CVE - 2015  (3136 ms)
[INFO] Processing Complete for NVD CVE - 2006  (4868 ms)
[INFO] Processing Started for NVD CVE - 2004
[INFO] Processing Complete for NVD CVE - 2004  (1887 ms)
[INFO] Processing Started for NVD CVE - 2008
[INFO] Processing Complete for NVD CVE - 2008  (8987 ms)
[INFO] Processing Started for NVD CVE - 2007
[INFO] Processing Complete for NVD CVE - 2007  (6670 ms)
[INFO] Processing Started for NVD CVE - 2010
[INFO] Processing Complete for NVD CVE - 2010  (20986 ms)
[INFO] Processing Started for NVD CVE - 2011
[INFO] Processing Complete for NVD CVE - 2011  (166487 ms)
[INFO] Processing Started for NVD CVE - 2009
[INFO] Processing Complete for NVD CVE - 2009  (9922 ms)
[INFO] Processing Started for NVD CVE - 2012
[INFO] Processing Complete for NVD CVE - 2012  (27132 ms)
[INFO] Processing Started for NVD CVE - 2013
[INFO] Processing Complete for NVD CVE - 2013  (20152 ms)
[INFO] Processing Started for NVD CVE - 2016
[INFO] Processing Complete for NVD CVE - 2016  (343 ms)
[INFO] Processing Started for NVD CVE - 2014
[INFO] Processing Complete for NVD CVE - 2014  (12995 ms)
[INFO] Processing Started for NVD CVE - Modified
[INFO] Processing Complete for NVD CVE - Modified  (281 ms)
[INFO] Processing Started for NVD CVE - 2015
[INFO] Processing Complete for NVD CVE - 2015  (7113 ms)
[INFO] Begin database maintenance.
[INFO] End database maintenance.
[INFO] Check for updates complete (318795 ms)
[INFO] Analysis Starting
...

Even if the dependency-check-maven:check goal could be bound to a pre install phase I would dissuade you doing so, because the feedback OWASP Dependency-Check gives to you is meaningful only when software dependencies changes happens, and this usually occurs rarely.

Instead of weight down your daily build with a unmeaningful time-consuming analysis it would be better bind the inspection to a site phase or leverage on your continuous integration infrastructure.

OWASP Dependency-Check Continuous Integration

OWASP Dependency-Check can be integrated in Jenkins by using the OWASP Dependency-Check Plugin. The Dependency-Check Jenkins Plugin relies on the XML report generated from the command line, Ant task or Maven plugin, therefore it’s recommended to include a Dependency-Check inspection as part of a build process. For example you may run mvn verify -Pquality_assurance_reports assuming you have yet configured your pom.xml with:

pom.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<project>
    ...
    <profile>
        <id>quality_assurance_reports</id>
        <build>
            <plugins>
                <plugin>
                    <groupId>org.owasp</groupId>
                    <artifactId>dependency-check-maven</artifactId>
                    <executions>
                        <execution>
                            <id>dependency-check-maven_GOALcheck_on_PHASEverify</id>
                            <phase>verify</phase>
                            <goals>
                                <goal>check</goal>
                            </goals>
                        </execution>
                    </executions>
                    <configuration>
                        <format>XML</format>
                    </configuration>
                </plugin>
                ...
            </plugins>
        </build>
    </profile>
    ...
</project>

The Dependency-Check Jenkins Plugin, besides CVEs, shows a list of Common Weakness Enumeration (CWE) too:

Even if a weakness is not a vulnerability CWE provides a human comprehensible common language for discussing, finding and dealing with the causes of software security vulnerabilities as they are found in code, design, or system architecture. Each individual CWE represents a single vulnerability type and is associated with one or more CVE.

Enforcing Organization Security Policy

In 2013 the OWASP Top 10 grew with a new entry: A9 - Using Components with Known Vulnerabilities. So OWASP Dependency-Check is really an useful tool to identify any known vulnerable 3rd party dependency.

The identified vulnerable 3rd party dependencies are a kind of documentation which can be used by your organization to meet its security requirements not only, for example, as a starting point for a per project 3rd party dependencies upgrading plan. In fact if your organization infrastructure offers a binary repository manager like Nexus, Artifactory and the like … , the IT Security Manager can configure there the dependencies that have to be blocked. So none developer could ever download vulnerable dependencies from the corporate binary repository manager.

2 Comments to “Ready To Use Java Dependencies Vulnerability Checker”

Posted by Anicet Togue #

Hi Tarin,

thanks for this great overview about vulnerable dependencies. Anyway I always suggest to use a binaries repository manager for a better detection.

Best regards,
Anicet

Posted by Tarin Gamberini # Tarin Gamberini

Hi Anicet,

I agree with you in the sense that a binaries repository manager would provide a more integrated solution.

The organization where I work at has adopted Nexus OSS (open-source) repository manager. Unfortunately only the proprietary Nexus repository manager supports vulnerability check showing charming check panels.

But, as the Nexus Health Check FAQ doesn’t provide details about how vulnerabilities are detected, I don’t know if the proprietary Nexus Repository Manager is really better than the OWASP Dependency Checker (but if anyone knows please tell us).

Best,
Tarin

Post a comment

A comment is submitted by an ordinary e-mail. Your e-mail address will not be published or broadcast.

This blog is moderated, therefore some comments might not be published. Comments are usually approved by the moderator in one/three days.