To detect these types of vulnerabilities, we should first and foremost know our dependencies and versions, and which of them have vulnerabilities. The OWASP Top 10 2021 identifies this need as A06:2021-Vulnerable and Outdated Components. OWASP has several tools for this, including Dependency Check and Dependency Track. These tools will warn about the use of components with vulnerabilities. - Source: dev.to / 16 days ago
You can scan your code repositories using OWASP Dependency-Check within a Harness pipeline. Within the gar-build-and-push stage, click on + Add Step → Add Step before the BuildAndPushGAR step. From the step library, find Owasp under the Security Tests section. - Source: dev.to / 4 months ago
Build tools, ie Maven, can provide information about available updates (ie mvn versions:display-dependency-updates) also it may be usefull to check your dependencies againts know voulnerabillities (ie Https://owasp.org/www-project-dependency-check/). Source: about 1 year ago
In this article we looked at the functionality on the Amazon Inspector for AWS Lambda functions, how the scanning functions can be activated. After that we looked into scan results and what information it provides to us to remediate the detected vulnerabilities. Of course there are other tools available in this area like OWASP Dependency-Check or Snyk which are mostly designed to be integrated in CI/CD process.... - Source: dev.to / about 1 year ago
Cloud security vulnerabilities are a significant concern and they come in many shapes and sizes. One type of vulnerability that is particularly concerning is code dependency vulnerabilities. These vulnerabilities arise when an application or system relies on a third-party code library or module that contains a security flaw. If this flaw is not discovered and addressed, it can be exploited by attackers to gain... - Source: dev.to / over 1 year ago
OWASP Dependency-Check a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project's dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries. We can also publish our SBOM report to Dependency-Track and... - Source: dev.to / over 1 year ago
Put a dependency check in your builds. Raise build errors when something is bad. Have it build on a regular basis (could be every month)... And then fix things. https://owasp.org/www-project-dependency-check/ And some examples - https://jeremylong.github.io/DependencyCheck/dependency-check-maven/. - Source: Hacker News / almost 2 years ago
Use a tool like OWASP Dependency-Check to detect high-risk CVEs in your dependencies. Source: almost 2 years ago
I use OpenCVE for alerts but it doesn't have everything for full coverage we have whitesource hooked into our CI pipelines. OWASP dependency check is a free alternative: https://owasp.org/www-project-dependency-check/. Source: almost 2 years ago
This one has proved very useful - OWASP dependency checker - downloads the NVD and crosschecks any CVEs to dependencies you use: https://owasp.org/www-project-dependency-check/. Source: over 2 years ago
Make sure you know what you are running on your platform. The Software Bill of Materials (SBoM) describes all the various software components on which your system is based. If you keep an active track of your SBoM with tools like OWASP dependencyTrack, it becomes easier to know whether software you are using is vulnerable. Additionally there are great open-source tools, like the OWASP Dependency Checker, Trivy,... - Source: dev.to / over 2 years ago
Project site: https://owasp.org/www-project-dependency-check/. Source: over 2 years ago
When I started working with Scala, it really surprised me how the JVM world deals with dependencies (include an upstream jar directly in the project, as opposed to the Linux distro model where you use your distributor packages so you have security and bug fixes). I'm a big fan of Dependency Check[1]. There are hosted services that can give you security scans, but if you don't have access to that (some have a cost)... - Source: Hacker News / over 2 years ago
The first option we have studied is the approach used in OWASP Dependency Check. The approach is simple — for each dependency, this utility searches for a corresponding identifier in the CPE (Common Platform Enumeration) database. In fact, the CPE database is a list with information about products, their versions, vendors, and so on. To implement SCA, we must obtain CPE and CVE correspondences. Thus, getting a CVE... - Source: dev.to / over 2 years ago
In order to prevent this issue, your organization needs to implement regular checks of your dependencies against the CVE database for known vulnerabilities, as well as establishing a process for keeping all dependencies up-to-date. Fortunately, much of this can be automated using vulnerability scanning tools, such as the OWASP Dependency Check, RetireJS, or Brakeman. Additional tools, such as WhiteSource's... - Source: dev.to / almost 3 years ago
Consider using tools such as OWASP Dependency Check, License Plugin or even more complex tools such as Black Duck. - Source: dev.to / almost 3 years ago
Do you know an article comparing Dependency-Check to other products?
Suggest a link to a post with product alternatives.
This is an informative page about Dependency-Check. You can review and discuss the product here. The primary details have not been verified within the last quarter, and they might be outdated. If you think we are missing something, please use the means on this page to comment or suggest changes. All reviews and comments are highly encouranged and appreciated as they help everyone in the community to make an informed choice. Please always be kind and objective when evaluating a product and sharing your opinion.