• Home
  • About us
  • Sitemap

Grudgets

  • How-tos
  • Smartphones
  • Android
  • Tricks
  • Rooting
  • Internet
  • Giveaway

Search

You are here: Home / Programming / Find vulnerabilities in Java dependencies easily 2021

Find vulnerabilities in Java dependencies easily 2021

Mujtaba Published on May 25th, 2021 Programming Leave a Comment

When we start working on a new project, many times we add third party dependencies for some common functionalities. These libraries themselves are also dependent on another set of dependencies to provide the functionality in the same package. Although it is not an issue to use dependencies, but over time there are a lot of them. So, it becomes necessary to find out which one of these has any vulnerabilities.

In general, the more dependencies your project uses, the more complex your dependency tree will be and hence the risk of vulnerability. You can use static code analysers to find out if there are any bugs introduced in your code, but what about third-party dependencies? This is where dependency vulnerability checker comes in handy.

OWASP Dependency checker to find vulnerabilities in java projects

OWASP dependency checker is an open-source software that checks your project dependencies for known publicly disclosed vulnerabilities. It will inspect dependencies used by your application/ project and collect evidence from the Common Platform Enumeration (CPE) for each of these. If there are evidences found for a particular library, listing associated with the corresponding library in CVE are listed in the report.

The dependency checker is available as:

  • Ant Task.
  • Command Line tool.
  • Gradle plugin.
  • Jenkins plugin.
  • Maven plugin (For maven version 3.1 or higher).
  • SBT plugin.

OWASP IDE Integration?

As mentioned earlier, there is no official support for IDE. Instead, it is straightforward to integrate it in your build process.

OWASP Maven plugin

The maven plugin is pretty straight forward to use. All you must do is add the maven dependency and the plugin goal. The latest version of the plugin (as of writing this article) is 6.1.6, which can be downloaded from here. Just add the following plugin to your pom:

<plugin>
   <groupId>org.owasp</groupId>
   <artifactId>dependency-check-maven</artifactId
   <version>6.1.6</version>
   <executions>
      <execution>
         <goals>
            <goal>check</goal>
         </goals>
      </execution>
   </executions>
</plugin>

And run the command from your project directory:

mvn clean verify

It will start downloading the required dependencies to find the vulnerabilities.

Please do note that when you run the above command for the first time, then it may take up to 20 minutes to complete since it downloads and processes all the data from the National Vulnerabilities Database, i.e., NVD. After the initial download, the subsequent checks should not check more than a couple of seconds to run if you run it at least once every 7 days.

Once the above command has been executed successfully, it should generate an html file in the target folder of your maven project. This file will have the list of all affected dependencies. For each of these affected libraries, you will even find that there are a lot of other important details like Highest Severity level, the CPE confidence along with the CVE count.

Sample HTML OWASP report

Clicking on individual dependency will also show the details of the vulnerability. For instance, see the following screenshot for the batik-all-1.13.jar file:

Details of vulnerable dependency

Or if you prefer to generate the report in clean CSV format, you can run the following command:

mvn clean verify -Dformat=CSV

This CSV file will include all the details about the vulnerabilities present in the HTML file in neat tabular format which is useful for documentation rather than HTML.

Generating aggregated dependency check reports

If you have a project with multiple modules, then you can generate an aggregated report by using the following config in your pom:

<plugin>
   <groupId>org.owasp</groupId>
   <artifactId>dependency-check-maven</artifactId>
   <version>6.1.6</version>
   <reportSets>
      <reportSet>
         <reports>
            <report>aggregate</report>
         </reports>
      </reportSet>
   </reportSets>
</plugin>

From the terminal, run the following command to generate HTML reports

mvn org.owasp:dependency-check-maven:aggregate

And for CSV reports, just add the flag

mvn org.owasp:dependency-check-maven:aggregate -Dformat=CSV

Failing build based on CVS score

As I had mentioned earlier, there are scores assigned to every vulnerability. So, what if you wanted to set a threshold score, let’s say of 5, and want the build to fail if the score is greater than equal to 5? To do that, just use the following configuration in your plugin block:

<plugin>
   <groupId>org.owasp</groupId>
   <artifactId>dependency-check-maven</artifactId>
   <version>6.1.6</version>
   <configuration>
      <failBuildOnCVSS>5</failBuildOnCVSS>
   </configuration>
   <executions>
      <execution>
         <goals>
            <goal>check</goal>
         </goals>
      </execution>
   </executions>
</plugin>

And the run the following command from the project directory:

mvn clean verify

Skip checking artifacts that are not part of the final build.

There are certain dependencies that are not present in the final build. For instance, if you add libraries with test/provided scope, they are not present in the final package. So, in such scenarios it makes sense to skip checking these libraries for vulnerabilities. To do so, just add the following configuration to the plugin section of your pom:

<plugin>
   <groupId>org.owasp</groupId>
   <artifactId>dependency-check-maven</artifactId>
   <version>6.1.6</version>
   <configuration>
      <skipProvidedScope>true</skipProvidedScope>
      <skipRuntimeScope>true</skipRuntimeScope>
   </configuration>
   <executions>
      <execution>
         <goals>
            <goal>check</goal>
         </goals>
      </execution>
   </executions>
</plugin>
finding vulnerabilities in java project

2. OWASP command line tool

The command line tool comes in handy if you want to scan your repository. It can be installed on MacOS using brew

brew install dependency-check

In order to find vulnerabilities, run it using the following command:

dependency-check --project Dependency-Check-Demo --out . --scan ~/demo

The -out flag is used to specify the location to save the output HTML file.

For Windows and Linux, you can download the latest release from the Github release page here.

To scan a folder on your system, you can run the following on

Windows:

dependency-check.bat --project Dependency-Check-Demo –scan "C:\Documents\java\lib"

Linux:

dependency-check.sh --project Dependency-Check-Demo --scan ~/java/lib

To view all the command line arguments, you can run the following command:

Windows:

dependency-check.bat –help

Linux:

dependency-check.sh –help

For more command line options, you can check out this link: https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html

OWASP Dependency Check plugin for Jenkins

This is a handy plugin that can be integrated with your CI pipeline. Integrating is pretty straightforward, just install the plugin from Jenkins marketplace and head over to the global tool configuration page, in case changes are required. Once installed, it will display the following options in the project configuration page.

Global config for jenkins

Just select the argument and it is done. Once the next build is triggered, then it will start showing the vulnerabilities present in your build/ package on the dashboard itself. You can refer the screenshot below for more details.

Final words

The OWASP dependency checker is an awesome plugin to either integrate with your CI builds or use locally. It will be useful if you are planning to use open source projects which might have outdated library versions. On the other hand, it will be useful for your own projects as well to keep out from using old or vulnerable libraries.

More from my site

  • VMware Recovery Software – Powerful Tool to Remove VMDK File Data Lose IssuesVMware Recovery Software – Powerful Tool to Remove VMDK File Data Lose Issues In today’s digital world, virtualization in IT infrastructure has gained importance and is being used currently by almost all IT industries. Undoubtedly, it can be said that VMware […]
  • How to surf web anonymously without being tracked.How to surf web anonymously without being tracked. The usage of internet has increased drastically with the growth in sales of computers and mobiles recently. India stands third in the number of internet users worldwide followed by United […]
  • Outlook Email Data Extractor Review | Download trial.Outlook Email Data Extractor Review | Download trial. Outlook email data extractor tool helps in exporting Outlook emails to PDF, EML, MSG and contacts to VCF file format in bulk. Application is developed by “PCVITA” using amazing back-end […]
  • Coolmuster Lab.Fone for Android Review: How to Recover Photos from Android PhoneCoolmuster Lab.Fone for Android Review: How to Recover Photos from Android Phone       Android now has been the hottest and widely used operation system over the world and we can see lots of brand mobile phone support this system such as HTC, Samsung, Sony, LG, HUAWEI, […]
  • How to root Samsung Galaxy Grand 2 (SM-G7102) and install CWM.How to root Samsung Galaxy Grand 2 (SM-G7102) and install CWM. This post shows the simplest methods which you can employ to root Samsung Galaxy Grand 2. This method works only on SM-G7102 variant, which is dual SIM version available in India. You all […]
  • BuyVM Review 2023 – Is it worth trying?BuyVM Review 2023 – Is it worth trying? I have used VPS and shared hosting from different providers over the last couple of years. Most of them I have come across through the popular blog. – Lowendbox. I had heard a lot about […]
  • Share on Facebook.
  • Share on Twitter.
  • Share on Google+
  • Share on LinkedIn
  • Pin It!
  • Share on StumbleUpon

Filed Under: Programming Tagged With: java

About Mujtaba

Follow me on Twitter

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent Posts

  • Hosthatch Review 2024 – Shocking Truths Exposed!
  • Samsung Galaxy S23 Ultra battery life – Has it improved?
  • Crocweb review after a decade of hosting!
  • Mevspace review 2023 – Is it good host?
  • Samsung Galaxy S22 Ultra battery life – Is it that bad?

Categories

  • Android
  • Android box
  • Blogging
  • Giveaway
  • How-tos
  • Internet
  • Linux
  • Programming
  • ROMs
  • Rooting
  • Shared hosting
  • Smartphones
  • Speakers
  • Tricks
  • VPS

Amazon Associates Disclosure

Mujtaba is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com

Copyright © 2025 · Metro Pro Theme on Genesis Framework · WordPress · Log in