When developing software, we have to use 3rd party npm packages in many cases. For example, If we want to make an HTTP call to an API, from our application we would use the Axios library. However, before using a 3rd party library, it is important to check if there are any known security vulnerabilities reported against these libraries. In such a case, you can use a tool to do the search for you. OWASP Dependency-Check is one among them.
Here I will demonstrate how to use the command line tool of OWASP Dependency-Check to analyze external dependencies and generate a report based on the known vulnerabilities detected.
1) First, download the command-line tool from the official website OWASP Dependency-Check
2) After downloading and extract. Goto
dependency-check folder, In the
bin directory you can find the executable script.
dependency-check.bat file is for running the tool on Windows and the
dependency-check.sh file is for running on Linux.
3) Open in terminal and run the following script.
./dependency-check.sh --project "<project_name>" --scan <folder containing 3rd party libraries> --out <folder to generate reports> --suppression <xml file containing suppressions>
--project: Specify a name for the project and this would appear in the report. (optional)
--scan: Path of the folder which contains the 3rd party dependency libraries. (required)
--out: Path of the folder where the vulnerability analysis reports should be generated. (optional)
--suppression: An XML file that contains the known vulnerabilities that should be hidden from the report (false positives). (optional)
OWASP dependency-check includes an analyzer that will scan Node Package Manager package specification files that works in conjunction with the Node Audit Analyzer to create a bill-of-materials for a Node.js project.
Files Types Scanned:
./dependency-check.sh --project demo_app --scan ~/react_learning/demo_app/package-lock.json --out ~/react_learning/demo_app/
When you run the OWASP Dependency-Check for the very first time, it would download the known vulnerabilities from the National Vulnerability Database (NVD) and it would maintain this information in a local database. So, it will take some time to run this for the very first time, because all the vulnerability information have to be downloaded.
By default the duration for syncing the local database and NVD is 4 hours. If you have run the Dependency Check within 4 hours, it will just use the data in local database without trying to update the local database with NVD.
Here I have react-app in this directory
/home/user/react_learning/demo_app and generated report in the same directory.