Home
The purpose of DependencyCheck is to help notify developers and security professionals of the problem discussed in Jeff Williams and Arshan Dabirsiaghi in their talk at AppSec DC 2012 titled "The Unfortunate Reality of Insecure Libraries". The gist of their presentation is that we as a development community include third party libraries in our applications that contain well known published vulnerabilities (such as those at the National Vulnerability Database).
Currently, DependencyCheck is currently a (java) command line tool that scans directories and files. If it contains an Analyzer that can scan a particular file type - data about the file is collected such as file name and other properties of the file. This information is then used to identify the Common Platform Enumeration (CPE). If a CPE is identified a listing of associated Common Vulnerability and Exposure (CVE) entries are listed in a report.
DependencyCheck automatically updates itself using the NVD Data Feeds hosted by NIST.
More information about DependencyCheck can be found here:
To use DependencyCheck you need to download the project from github and compile the project using Maven. Once compiled it can be run using the following commands (replaceing [version] with the current version):
Display Help:
java -jar DependencyCheck-[version].jar -h
Display Advanced Help (shows how to configure a proxy):
java -jar DependencyCheck-0.2.5.1.jar -ah
Scan a directory called 'lib' in an application called 'Sample' and writes the report in the current working directory:
java -jar DependencyCheck-0.2.5.1.jar -scan "/path/to/lib" -app Sample -out .
The above command will produce a file in the current working directory called DependencyCheck-Report.html.
If you have any questions or comments please contact me on the DependencyCheck mailing list: