Check Component Vulnerabilities Using OWASP Dependency-Check

1. Overview

During application development, we typically need to add some third-party libraries or frameworks to our projects. These third-party libraries ease our development effort. However, they may bring possible security risks due to their vulnerabilities.

In this tutorial, we’ll introduce a plugin that can help us identify known vulnerabilities in our application.

2. Dependency-Check

The plugin that we’ll adopt is OWASP Dependency-Check. This plugin is a software component analysis tool that identifies application dependencies that have known vulnerabilities by correlating them with Common Platform Enumeration (CPE) identifiers and Common Vulnerability and Exposure (CVE) entries.

CPE is a structural naming scheme for software or packages, while CVE provides a reference for known vulnerabilities and exposures publicly.

The plugin automatically updates these entries via National Vulnerability Database (NVD) data feeds provided by NIST. In addition to the Maven plugin, it also provides other integration plugins, such as Gradle.

3. Maven Setup

In this tutorial, let’s look into the Maven integration with our application. First, we need to include the Dependency-Check plugin within the plugins section in our pom.xml file:

<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <version>11.1.1</version>
    <configuration>
        <failBuildOnCVSS>7</failBuildOnCVSS>
    </configuration>
    <executions>
        <execution>
            <goals>
                <goal>check</goal>
            </goals>
        </execution>
    </executions>
</plugin>

Once we’ve included this plugin, we call it by invoking the verify phase, as it’s already integrated into it by default:

$ mvn verify

Or, we can invoke it directly via:

$ mvn dependency-check:check

If there’s any vulnerability in our application, we’ll see a message from Maven indicating which packages contain vulnerabilities from the console. Let’s see an example:

[WARNING] 

One or more dependencies were identified with known vulnerabilities in dependency-check:

logback-core-1.5.6.jar (pkg:maven/ch.qos.logback/[email protected], cpe:2.3:a:qos:logback:1.5.6:*:*:*:*:*:*:*) : CVE-2024-12798, CVE-2024-12801

In addition, the plugin creates an HTML report that contains the details of the vulnerabilities it found. The file name is dependency-check-report.html and can be found under the build folder:

4. CVSS Score

Let’s jump into the report and dive into the details of a component vulnerability. We can see that each vulnerability is associated with a Common Vulnerability Scoring System (CVSS) score:

CVSS is a standard for measuring the severity of vulnerabilities. The score ranges from 0 to 10, where a higher score indicates a more severe vulnerability.

The Maven plugin has an option called failBuildOnCVSS, which can be configured to fail a build if any components’ CVSS score exceeds the threshold. In our example, we use 7 so that it doesn’t fail the current set of dependencies. A score equal to or greater than 7 is generally considered high severity.

The highest CVSS score that we saw in the previous report is 5.9. Now, let’s update the failBuildOnCVSS option to 5.0 and execute the plugin again. Maven will fail the build this time:

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:11.1.1:check (default-cli) on project dependency-check:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '5.0': 
[ERROR]
[ERROR] logback-core-1.5.6.jar: CVE-2024-12798(5.900000095367432)
[ERROR]
[ERROR] See the dependency-check report for more details.

5. Conclusion