Skip to content

Architecture

Jump to bottom
Seth Jackson edited this page May 9, 2017 · 5 revisions

Dependency-check is made up of four main components:

  • Engine: this is the main controller that runs the other components listed below in the correct order.
  • Scanner: this walks the files and directories specified by the "-scan" command line parameter and collects any file for which we have an Analyzer that can process it. These files are the base of a Dependency object.
  • Analyzer: the core functionality of the application - analyzers process the dependencies adding information, if it can, to the Dependency object. The information added can be Evidence, Identifiers, or Vulnerabilities (discussed below).
  • Report Generator: generates reports about the dependencies identified by the Analyzers - reports are generated using Velocity Templates.

Analysis happens seven phases (defined in org.owasp.dependencycheck.analyzer.AnalysisPhase).

  • INITIAL - the initial analysis phase.
  • INFORMATION_COLLECTION - the main phase where an Analyzer populates the Evidence Collections within the Dependency.
  • PRE_IDENTIFIER_ANALYSIS - after all information has been collected, we may need to make changes.
  • IDENTIFIER_ANALYSIS - this is when the dependencies are "identified" - currently only CPE identifiers are found (a CPE for Struts 2.1.2 would be: cpe:/a:apache:struts:2.1.2).
  • POST_IDENTIFIER_ANALYSIS - runs after identifiers have been determined. One example is the FalsePositiveAnalyzer which removes CPE entries for the JRE/JDK from libraries that are not the run time jar.
  • PRE_FINDING_ANALYSIS - Analyzers in this phase may make changes to the identifiers collected. One example is the DependencyBundlingAnalyzer. This analyzer takes related dependencies (think spring-beans, spring-web, spring-core, spring-xxxx) and attempts to group them into only a single core dependency that lists the oter components.
  • FINDING_ANALYSIS - Analyzers in this phase use the information collected in previous phases to determine if there are any publicly disclosed vulnerabilities. Currently, we are only using the NVD CVE data.
  • POST_FINDING_ANALYSIS - Analyzers in this phase run after vulnerabilities have been identified. This may be used to perform additional clean-up of the vulnerability information.
  • FINAL - the last phase of analysis.
Clone this wiki locally