How to verify your java libraries have known security vulnerabilities ?

A maven plugin can check you Java libaries for known vulnerabilities. It is called dependency-check-maven.

The OWASP Dependency Check utility uses NIST’s National Vulnerability Database (NVD) to identify the vulnerable dependencies, so the list is always up-to-date.

  <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>1.4.4</version>
                <configuration>
                    <skip>false</skip>
                    <skipTestScope>false</skipTestScope>
                    <skipProvidedScope>false</skipProvidedScope>
                    <skipRuntimeScope>false</skipRuntimeScope>
                </configuration>
                <executions>
                    <execution>
                        <goals>
                            <goal>check</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>

https://blog.lanyonm.org/articles/2015/12/22/continuous-security-owasp-java-vulnerability-check.html

Requirements

You will need the following to use Owasp Maven dependency Check.

  • Maven version superior to 3.1
  • Tips to quickly check only some libraires

    Let’s say you can not compile all the project because some jars/files are missing. Then you cannot use the plugin immediately. You need to compile the project first. If you don’t need to compile the project entirely, you can just create a simple pom with all dependencies to check.

    Example :

    <?xml version="1.0" encoding="UTF-8"?>
    <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    <modelVersion>4.0.0</modelVersion>
    
    	<groupId>com.mytest.framework</groupId>
    	<artifactId>mytestframe</artifactId>
    	<packaging>pom</packaging>
    	<name>com.mytest.framework.mytestframe</name>
    	<version>1.0.0-SNAPSHOT</version>
    		
    	<properties>
    		<spring.version>1.0.0.RELEASE</spring.version>
            </properties>
    
    
    	<build>
    		<pluginManagement>
    			<plugins>
    				
    				  <plugin>
                    <groupId>org.owasp</groupId>
                    <artifactId>dependency-check-maven</artifactId>
                    <version>1.4.4</version>
                    <configuration>
                        <skip>false</skip>
                        <skipTestScope>false</skipTestScope>
                        <skipProvidedScope>false</skipProvidedScope>
                        <skipRuntimeScope>false</skipRuntimeScope>
                    </configuration>
                    <executions>
                        <execution>
                            <goals>
                                <goal>check</goal>
                            </goals>
                        </execution>
                    </executions>
                   </plugin>
                          </plugins>
            </pluginManagement>
             </build>
    
           <dependencies>
    	   <dependency>
    		<groupId>org.springframework</groupId>
    		<artifactId>spring-webmvc</artifactId>
    		<version>${spring.version}</version>
    	  </dependency>
           </dependencies>
    </project>
    
    

    Check maven dependencies with this command :

    mvn dependency-check:check
    

    Reporting

    Check the link above to use reporting for your continuous integration. Otherwise here is an example of reporting once you launch the maven plugin :

    One or more dependencies were identified with known vulnerabilities in my_project:
     
    logback-core-1.1.3.jar (ch.qos.logback:logback-core:1.1.3, cpe:/a:logback:logback:1.1.3) : CVE-2017-5929
    commons-collections-3.2.1.jar (commons-collections:commons-collections:3.2.1, cpe:/a:apache:commons_collections:3.2.1) : CVE-2015-6420

    Troubleshooting

    If you have the following error

    -Dmaven.multiModuleProjectDirectory system property is not set
    

    then you need to modify the java configuration like this in eclipse :owasp_check_maven

    Advertisements

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s