Dependency-Check Reviews and details

Social recommendations and mentions

• SQL Injection Isn't Dead Yet

  To detect these types of vulnerabilities, we should first and foremost know our dependencies and versions, and which of them have vulnerabilities. The OWASP Top 10 2021 identifies this need as A06:2021-Vulnerable and Outdated Components. OWASP has several tools for this, including Dependency Check and Dependency Track. These tools will warn about the use of components with vulnerabilities. - Source: dev.to / 16 days ago

• Build and Push to GAR and Deploy to GKE - End-to-End CI/CD Pipeline

  You can scan your code repositories using OWASP Dependency-Check within a Harness pipeline. Within the gar-build-and-push stage, click on + Add Step → Add Step before the BuildAndPushGAR step. From the step library, find Owasp under the Security Tests section. - Source: dev.to / 4 months ago

• How rapidly Spring is changing?

  Build tools, ie Maven, can provide information about available updates (ie mvn versions:display-dependency-updates) also it may be usefull to check your dependencies againts know voulnerabillities (ie Https://owasp.org/www-project-dependency-check/). Source: about 1 year ago

• Deep dive into Amazon Inspector for AWS Lambda

  In this article we looked at the functionality on the Amazon Inspector for AWS Lambda functions, how the scanning functions can be activated. After that we looked into scan results and what information it provides to us to remediate the detected vulnerabilities. Of course there are other tools available in this area like OWASP Dependency-Check or Snyk which are mostly designed to be integrated in CI/CD process.... - Source: dev.to / about 1 year ago

• Uncomplicating cloud Security — Infrastructure Protection (Part 4)

  Cloud security vulnerabilities are a significant concern and they come in many shapes and sizes. One type of vulnerability that is particularly concerning is code dependency vulnerabilities. These vulnerabilities arise when an application or system relies on a third-party code library or module that contains a security flaw. If this flaw is not discovered and addressed, it can be exploited by attackers to gain... - Source: dev.to / over 1 year ago

• Implement DevSecOps to Secure your CI/CD pipeline

  OWASP Dependency-Check a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project's dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries. We can also publish our SBOM report to Dependency-Track and... - Source: dev.to / over 1 year ago

• Log4j: The Pain Just Keeps Going and Going

  Put a dependency check in your builds. Raise build errors when something is bad. Have it build on a regular basis (could be every month)... And then fix things. https://owasp.org/www-project-dependency-check/ And some examples - https://jeremylong.github.io/DependencyCheck/dependency-check-maven/. - Source: Hacker News / almost 2 years ago

• Keeping Up With Vulnerable Third-Party Libraries

  Use a tool like OWASP Dependency-Check to detect high-risk CVEs in your dependencies. Source: almost 2 years ago

• Keeping Up With Vulnerable Third-Party Libraries

  I use OpenCVE for alerts but it doesn't have everything for full coverage we have whitesource hooked into our CI pipelines. OWASP dependency check is a free alternative: https://owasp.org/www-project-dependency-check/. Source: almost 2 years ago

• What are some useful static analyzers for Java?

  This one has proved very useful - OWASP dependency checker - downloads the NVD and crosschecks any CVEs to dependencies you use: https://owasp.org/www-project-dependency-check/. Source: over 2 years ago

• Log4J – A 10 step mitigation plan

  Make sure you know what you are running on your platform. The Software Bill of Materials (SBoM) describes all the various software components on which your system is based. If you keep an active track of your SBoM with tools like OWASP dependencyTrack, it becomes easier to know whether software you are using is vulnerable. Additionally there are great open-source tools, like the OWASP Dependency Checker, Trivy,... - Source: dev.to / over 2 years ago

• Is there a tool to track CVEs for the software that we use?

  Project site: https://owasp.org/www-project-dependency-check/. Source: over 2 years ago

• Log4j RCE Found

  When I started working with Scala, it really surprised me how the JVM world deals with dependencies (include an upstream jar directly in the project, as opposed to the Linux distro model where you use your distributor packages so you have security and bug fixes). I'm a big fan of Dependency Check[1]. There are hosted services that can give you security scans, but if you don't have access to that (some have a cost)... - Source: Hacker News / over 2 years ago

• OWASP Top Ten and Software Composition Analysis (SCA)

  The first option we have studied is the approach used in OWASP Dependency Check. The approach is simple — for each dependency, this utility searches for a corresponding identifier in the CPE (Common Platform Enumeration) database. In fact, the CPE database is a list with information about products, their versions, vendors, and so on. To implement SCA, we must obtain CPE and CVE correspondences. Thus, getting a CVE... - Source: dev.to / over 2 years ago

• OWASP Top 10 for Developers: Using Components with Known Vulnerabilities

  In order to prevent this issue, your organization needs to implement regular checks of your dependencies against the CVE database for known vulnerabilities, as well as establishing a process for keeping all dependencies up-to-date. Fortunately, much of this can be automated using vulnerability scanning tools, such as the OWASP Dependency Check, RetireJS, or Brakeman. Additional tools, such as WhiteSource's... - Source: dev.to / almost 3 years ago

• An Incomplete List of Practical Security for Mortals

  Consider using tools such as OWASP Dependency Check, License Plugin or even more complex tools such as Black Duck. - Source: dev.to / almost 3 years ago