Appearance
OWASP Dependency-Check Cheat Sheet
Overview
OWASP Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project's dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency, and if found, it will generate a report linking to the associated Common Vulnerability and Exposure (CVE) entries. Dependency-Check supports Java, .NET, JavaScript, Python, Ruby, PHP, and many other ecosystems, making it an essential tool for identifying known vulnerabilities in third-party components and libraries used in software projects.
⚠️ Important: Dependency-Check identifies known vulnerabilities but cannot detect zero-day vulnerabilities or custom code vulnerabilities. It should be used as part of a comprehensive security testing strategy alongside static analysis, dynamic testing, and manual code review.
Installation
Command Line Installation
Java/JAR Installation
bash
# Download latest release
wget https://github.com/jeremylong/DependencyCheck/releases/download/v8.4.3/dependency-check-8.4.3-release.zip
# Extract
unzip dependency-check-8.4.3-release.zip
# Add to PATH
export PATH=$PATH:$(pwd)/dependency-check/bin
# Verify installation
dependency-check.sh --version
# Create permanent alias
echo 'export PATH=$PATH:/path/to/dependency-check/bin' >> ~/.bashrc
source ~/.bashrcDocker Installation
bash
# Pull official Docker image
docker pull owasp/dependency-check
# Run basic scan
docker run --rm -v $(pwd):/src owasp/dependency-check --scan /src --format ALL
# Create alias for easier usage
echo 'alias dependency-check="docker run --rm -v \$(pwd):/src owasp/dependency-check"' >> ~/.bashrc
source ~/.bashrc
# Run with custom output directory
docker run --rm -v $(pwd):/src -v $(pwd)/reports:/reports owasp/dependency-check --scan /src --out /reportsPackage Manager Installation
Ubuntu/Debian
bash
# Install via snap
sudo snap install dependency-check
# Verify installation
dependency-check --version
# Alternative: Install via apt (if available)
sudo apt update
sudo apt install dependency-checkmacOS
bash
# Install via Homebrew
brew install dependency-check
# Verify installation
dependency-check --version
# Update to latest version
brew upgrade dependency-checkWindows
bash
# Download Windows release
# https://github.com/jeremylong/DependencyCheck/releases
# Extract to desired location
# Add bin directory to PATH environment variable
# Verify installation
dependency-check.bat --versionBuild Tool Integration
Maven Plugin
xml
<!-- Add to pom.xml -->
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>8.4.3</version>
<configuration>
<failBuildOnCVSS>7</failBuildOnCVSS>
<format>ALL</format>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>Gradle Plugin
gradle
// Add to build.gradle
plugins {
id 'org.owasp.dependencycheck' version '8.4.3'
}
dependencyCheck {
failBuildOnCVSS = 7
format = 'ALL'
suppressionFile = 'dependency-check-suppressions.xml'
}
// Run scan
// ./gradlew dependencyCheckAnalyzeSBT Plugin
scala
// Add to project/plugins.sbt
addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % "4.1.0")
// Add to build.sbt
dependencyCheckFailBuildOnCVSS := Some(7.0f)
dependencyCheckFormat := "ALL"Ant Task
xml
<!-- Add to build.xml -->
<taskdef resource="dependency-check-ant-task.properties">
<classpath>
<pathelement location="dependency-check-ant-8.4.3.jar"/>
</classpath>
</taskdef>
<target name="dependency-check">
<dependency-check projectname="MyProject"
reportoutputdirectory="reports"
reportformat="ALL">
<fileset dir="lib">
<include name="**/*.jar"/>
</fileset>
</dependency-check>
</target>Basic Usage
Simple Scans
bash
# Basic project scan
dependency-check --scan ./src --out ./reports
# Scan with project name
dependency-check --scan ./src --project "MyProject" --out ./reports
# Scan multiple directories
dependency-check --scan ./src --scan ./lib --scan ./vendor --out ./reports
# Scan with specific formats
dependency-check --scan ./src --format HTML --format JSON --format XML --out ./reports
# Scan with all formats
dependency-check --scan ./src --format ALL --out ./reportsAdvanced Scanning Options
bash
# Scan with CVSS threshold
dependency-check --scan ./src --failOnCVSS 7 --out ./reports
# Scan with custom database location
dependency-check --scan ./src --data ./dependency-check-data --out ./reports
# Scan with suppression file
dependency-check --scan ./src --suppression suppressions.xml --out ./reports
# Scan with custom NVD API key
dependency-check --scan ./src --nvdApiKey YOUR_API_KEY --out ./reports
# Verbose output
dependency-check --scan ./src --out ./reports -v
# Debug output
dependency-check --scan ./src --out ./reports -dLanguage-Specific Scans
bash
# Java/Maven project
dependency-check --scan ./pom.xml --out ./reports
# Node.js project
dependency-check --scan ./package.json --scan ./package-lock.json --out ./reports
# Python project
dependency-check --scan ./requirements.txt --scan ./Pipfile.lock --out ./reports
# .NET project
dependency-check --scan ./*.csproj --scan ./packages.config --out ./reports
# Ruby project
dependency-check --scan ./Gemfile.lock --out ./reports
# PHP project
dependency-check --scan ./composer.lock --out ./reports
# Go project
dependency-check --scan ./go.mod --scan ./go.sum --out ./reportsConfiguration and Customization
Configuration File
bash
# Create configuration file
cat > dependency-check.properties << 'EOF'
# Database settings
data.directory=/opt/dependency-check-data
database.driver.name=org.h2.Driver
database.driver.path=/opt/dependency-check/h2-2.1.214.jar
# NVD settings
nvd.api.key=YOUR_NVD_API_KEY
nvd.api.delay=4000
# Analyzer settings
analyzer.jar.enabled=true
analyzer.node.js.enabled=true
analyzer.python.enabled=true
analyzer.ruby.enabled=true
analyzer.php.enabled=true
analyzer.dotnet.enabled=true
# Report settings
format=ALL
failOnCVSS=7
# Suppression settings
suppression.file=suppressions.xml
EOF
# Use configuration file
dependency-check --propertyfile dependency-check.properties --scan ./src --out ./reportsSuppression File
xml
<!-- Create suppressions.xml -->
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<!-- Suppress specific CVE for a file -->
<suppress>
<notes>False positive - this vulnerability doesn't apply to our usage</notes>
<filePath regex="true">.*jquery-3\.2\.1\.min\.js</filePath>
<cve>CVE-2019-11358</cve>
</suppress>
<!-- Suppress all CVEs for a specific library -->
<suppress>
<notes>Legacy library - vulnerabilities accepted as risk</notes>
<filePath regex="true">.*legacy-lib-1\.0\.jar</filePath>
</suppress>
<!-- Suppress by CPE -->
<suppress>
<notes>Not applicable to our environment</notes>
<cpe>cpe:/a:apache:struts:2.3.20</cpe>
<cve>CVE-2014-0094</cve>
</suppress>
<!-- Suppress by CVSS score -->
<suppress until="2024-12-31">
<notes>Temporary suppression - fix scheduled</notes>
<filePath regex="true">.*vulnerable-component.*</filePath>
<cvssBelow>4.0</cvssBelow>
</suppress>
<!-- Suppress by vulnerability type -->
<suppress>
<notes>XSS not applicable in server-side context</notes>
<filePath regex="true">.*server-side-lib.*</filePath>
<vulnerabilityName regex="true">.*Cross-site Scripting.*</vulnerabilityName>
</suppress>
</suppressions>Custom Analyzers
bash
# Enable/disable specific analyzers
dependency-check --scan ./src \
--enableRetired \
--enableExperimental \
--disableAssembly \
--disableAutoconf \
--out ./reports
# Configure analyzer-specific settings
dependency-check --scan ./src \
--nodePackage ./package.json \
--nodeAuditSkipDevDependencies \
--bundleAuditPath /usr/local/bin/bundle-audit \
--out ./reportsAutomation Scripts
Comprehensive Project Scanner
bash
#!/bin/bash
# Comprehensive dependency vulnerability scanner
PROJECT_DIR="$1"
OUTPUT_DIR="dependency_scan_$(date +%Y%m%d_%H%M%S)"
CVSS_THRESHOLD=7.0
SUPPRESSION_FILE="suppressions.xml"
if [ -z "$PROJECT_DIR" ]; then
echo "Usage: $0 <project_directory>"
echo "Example: $0 /path/to/project"
exit 1
fi
if [ ! -d "$PROJECT_DIR" ]; then
echo "Error: Project directory not found: $PROJECT_DIR"
exit 1
fi
mkdir -p "$OUTPUT_DIR"
# Function to detect project type
detect_project_type() {
local project_dir="$1"
local project_types=()
# Java/Maven
if [ -f "$project_dir/pom.xml" ]; then
project_types+=("maven")
fi
# Java/Gradle
if [ -f "$project_dir/build.gradle" ] || [ -f "$project_dir/build.gradle.kts" ]; then
project_types+=("gradle")
fi
# Node.js
if [ -f "$project_dir/package.json" ]; then
project_types+=("nodejs")
fi
# Python
if [ -f "$project_dir/requirements.txt" ] || [ -f "$project_dir/Pipfile" ] || [ -f "$project_dir/setup.py" ]; then
project_types+=("python")
fi
# .NET
if find "$project_dir" -name "*.csproj" -o -name "*.vbproj" -o -name "*.fsproj" | grep -q .; then
project_types+=("dotnet")
fi
# Ruby
if [ -f "$project_dir/Gemfile" ]; then
project_types+=("ruby")
fi
# PHP
if [ -f "$project_dir/composer.json" ]; then
project_types+=("php")
fi
# Go
if [ -f "$project_dir/go.mod" ]; then
project_types+=("go")
fi
echo "${project_types[@]}"
}
# Function to run dependency check
run_dependency_check() {
local scan_dir="$1"
local project_name="$2"
local output_dir="$3"
echo "[+] Running dependency check for $project_name"
local cmd="dependency-check"
local args=(
"--scan" "$scan_dir"
"--project" "$project_name"
"--out" "$output_dir"
"--format" "ALL"
"--failOnCVSS" "$CVSS_THRESHOLD"
"--enableRetired"
"--enableExperimental"
)
# Add suppression file if it exists
if [ -f "$SUPPRESSION_FILE" ]; then
args+=("--suppression" "$SUPPRESSION_FILE")
fi
# Add NVD API key if available
if [ -n "$NVD_API_KEY" ]; then
args+=("--nvdApiKey" "$NVD_API_KEY")
fi
# Run the scan
"$cmd" "${args[@]}" 2>&1 | tee "$output_dir/scan.log"
return ${PIPESTATUS[0]}
}
# Function to analyze results
analyze_results() {
local output_dir="$1"
local project_name="$2"
echo "[+] Analyzing scan results"
local json_report="$output_dir/dependency-check-report.json"
local analysis_file="$output_dir/vulnerability_analysis.txt"
if [ ! -f "$json_report" ]; then
echo "[-] JSON report not found: $json_report"
return 1
fi
# Extract vulnerability statistics
cat > "$analysis_file" << EOF
Dependency Vulnerability Analysis
================================
Project: $project_name
Scan Date: $(date)
Output Directory: $output_dir
Vulnerability Summary:
EOF
# Parse JSON report for statistics
if command -v jq &> /dev/null; then
echo " [+] Parsing JSON report with jq"
local total_deps=$(jq '.dependencies | length' "$json_report" 2>/dev/null || echo 0)
local vulnerable_deps=$(jq '[.dependencies[] | select(.vulnerabilities | length > 0)] | length' "$json_report" 2>/dev/null || echo 0)
local total_vulns=$(jq '[.dependencies[].vulnerabilities[]] | length' "$json_report" 2>/dev/null || echo 0)
cat >> "$analysis_file" << EOF
- Total Dependencies: $total_deps
- Vulnerable Dependencies: $vulnerable_deps
- Total Vulnerabilities: $total_vulns
Vulnerability Breakdown by Severity:
EOF
# Count vulnerabilities by severity
jq -r '.dependencies[].vulnerabilities[] | .severity' "$json_report" 2>/dev/null | sort | uniq -c | while read count severity; do
echo "- $severity: $count" >> "$analysis_file"
done
# High severity vulnerabilities
echo "" >> "$analysis_file"
echo "High Severity Vulnerabilities:" >> "$analysis_file"
jq -r '.dependencies[] | select(.vulnerabilities[] | .severity == "HIGH") | .fileName + " - " + (.vulnerabilities[] | select(.severity == "HIGH") | .name)' "$json_report" 2>/dev/null >> "$analysis_file"
# Critical severity vulnerabilities
echo "" >> "$analysis_file"
echo "Critical Severity Vulnerabilities:" >> "$analysis_file"
jq -r '.dependencies[] | select(.vulnerabilities[] | .severity == "CRITICAL") | .fileName + " - " + (.vulnerabilities[] | select(.severity == "CRITICAL") | .name)' "$json_report" 2>/dev/null >> "$analysis_file"
else
echo " [!] jq not available, using basic analysis"
# Basic grep-based analysis
grep -o '"severity":"[^"]*"' "$json_report" | cut -d'"' -f4 | sort | uniq -c >> "$analysis_file"
fi
echo " [+] Analysis completed: $analysis_file"
}
# Function to generate remediation report
generate_remediation_report() {
local output_dir="$1"
local project_name="$2"
echo "[+] Generating remediation report"
local json_report="$output_dir/dependency-check-report.json"
local remediation_file="$output_dir/remediation_report.txt"
if [ ! -f "$json_report" ]; then
echo "[-] JSON report not found for remediation analysis"
return 1
fi
cat > "$remediation_file" << EOF
Dependency Vulnerability Remediation Report
==========================================
Project: $project_name
Generated: $(date)
Recommended Actions:
EOF
if command -v jq &> /dev/null; then
# Extract vulnerable dependencies with remediation info
jq -r '.dependencies[] | select(.vulnerabilities | length > 0) |
"Dependency: " + .fileName +
"\nVulnerabilities: " + (.vulnerabilities | length | tostring) +
"\nHighest Severity: " + ([.vulnerabilities[].severity] | max) +
"\nRecommendation: Update to latest version or find alternative\n---"' "$json_report" >> "$remediation_file"
fi
cat >> "$remediation_file" << EOF
General Remediation Steps:
1. Update vulnerable dependencies to latest versions
2. Check for security patches from vendors
3. Consider alternative libraries if updates unavailable
4. Implement additional security controls if updates not possible
5. Add suppressions for false positives with proper justification
Next Steps:
1. Review each vulnerable dependency
2. Check for available updates
3. Test updates in development environment
4. Plan deployment of security updates
5. Monitor for new vulnerabilities
EOF
echo " [+] Remediation report generated: $remediation_file"
}
# Function to create HTML dashboard
create_dashboard() {
local output_dir="$1"
local project_name="$2"
local project_types="$3"
echo "[+] Creating vulnerability dashboard"
local dashboard_file="$output_dir/vulnerability_dashboard.html"
local json_report="$output_dir/dependency-check-report.json"
cat > "$dashboard_file" << EOF
<!DOCTYPE html>
<html>
<head>
<title>Dependency Vulnerability Dashboard - $project_name</title>
<style>
body { font-family: Arial, sans-serif; margin: 20px; }
.header { background-color: #f0f0f0; padding: 20px; border-radius: 5px; }
.section { margin: 20px 0; padding: 15px; border: 1px solid #ddd; border-radius: 5px; }
.critical { background-color: #ffebee; border-color: #f44336; }
.high { background-color: #fff3e0; border-color: #ff9800; }
.medium { background-color: #fff8e1; border-color: #ffc107; }
.low { background-color: #f3e5f5; border-color: #9c27b0; }
.info { background-color: #e3f2fd; border-color: #2196f3; }
table { border-collapse: collapse; width: 100%; }
th, td { border: 1px solid #ddd; padding: 8px; text-align: left; }
th { background-color: #f2f2f2; }
.severity-critical { color: #d32f2f; font-weight: bold; }
.severity-high { color: #f57c00; font-weight: bold; }
.severity-medium { color: #fbc02d; font-weight: bold; }
.severity-low { color: #7b1fa2; }
.chart { margin: 20px 0; text-align: center; }
</style>
<script src="https://cdn.jsdelivr.net/npm/chart.js"></script>
</head>
<body>
<div class="header">
<h1>🔍 Dependency Vulnerability Dashboard</h1>
<p><strong>Project:</strong> $project_name</p>
<p><strong>Project Types:</strong> $project_types</p>
<p><strong>Scan Date:</strong> $(date)</p>
<p><strong>CVSS Threshold:</strong> $CVSS_THRESHOLD</p>
</div>
EOF
# Add vulnerability summary if JSON report exists
if [ -f "$json_report" ] && command -v jq &> /dev/null; then
local total_deps=$(jq '.dependencies | length' "$json_report" 2>/dev/null || echo 0)
local vulnerable_deps=$(jq '[.dependencies[] | select(.vulnerabilities | length > 0)] | length' "$json_report" 2>/dev/null || echo 0)
local total_vulns=$(jq '[.dependencies[].vulnerabilities[]] | length' "$json_report" 2>/dev/null || echo 0)
cat >> "$dashboard_file" << EOF
<div class="section info">
<h2>📊 Vulnerability Summary</h2>
<table>
<tr><th>Metric</th><th>Count</th><th>Percentage</th></tr>
<tr><td>Total Dependencies</td><td>$total_deps</td><td>100%</td></tr>
<tr><td>Vulnerable Dependencies</td><td>$vulnerable_deps</td><td>$(echo "scale=1; $vulnerable_deps * 100 / $total_deps" | bc -l 2>/dev/null || echo "N/A")%</td></tr>
<tr><td>Total Vulnerabilities</td><td>$total_vulns</td><td>-</td></tr>
</table>
</div>
<div class="section">
<h2>📈 Vulnerability Distribution</h2>
<div class="chart">
<canvas id="severityChart" width="400" height="200"></canvas>
</div>
</div>
EOF
# Add severity breakdown
cat >> "$dashboard_file" << EOF
<div class="section">
<h2>🎯 Vulnerabilities by Severity</h2>
<table>
<tr><th>Severity</th><th>Count</th><th>Action Required</th></tr>
EOF
# Count vulnerabilities by severity
for severity in CRITICAL HIGH MEDIUM LOW; do
local count=$(jq "[.dependencies[].vulnerabilities[] | select(.severity == \"$severity\")] | length" "$json_report" 2>/dev/null || echo 0)
local css_class="severity-$(echo $severity | tr '[:upper:]' '[:lower:]')"
local action=""
case $severity in
CRITICAL) action="Immediate action required" ;;
HIGH) action="Fix within 24-48 hours" ;;
MEDIUM) action="Fix within 1 week" ;;
LOW) action="Fix in next release cycle" ;;
esac
cat >> "$dashboard_file" << EOF
<tr><td class="$css_class">$severity</td><td>$count</td><td>$action</td></tr>
EOF
done
cat >> "$dashboard_file" << EOF
</table>
</div>
EOF
fi
# Add file links
cat >> "$dashboard_file" << EOF
<div class="section">
<h2>📁 Generated Reports</h2>
<ul>
<li><a href="dependency-check-report.html">HTML Report</a></li>
<li><a href="dependency-check-report.json">JSON Report</a></li>
<li><a href="dependency-check-report.xml">XML Report</a></li>
<li><a href="vulnerability_analysis.txt">Vulnerability Analysis</a></li>
<li><a href="remediation_report.txt">Remediation Report</a></li>
</ul>
</div>
<div class="section">
<h2>🔧 Recommended Actions</h2>
<ol>
<li><strong>Review Critical and High Severity Vulnerabilities:</strong> Address these immediately</li>
<li><strong>Update Dependencies:</strong> Check for available updates for vulnerable components</li>
<li><strong>Assess Risk:</strong> Evaluate the actual risk based on your application's usage</li>
<li><strong>Implement Mitigations:</strong> Apply security controls if updates are not available</li>
<li><strong>Monitor Continuously:</strong> Set up regular scans to catch new vulnerabilities</li>
</ol>
</div>
<script>
// Create severity distribution chart
const ctx = document.getElementById('severityChart').getContext('2d');
// This would be populated with actual data from the JSON report
const severityData = {
labels: ['Critical', 'High', 'Medium', 'Low'],
datasets: [{
label: 'Vulnerabilities by Severity',
data: [0, 0, 0, 0], // Placeholder data
backgroundColor: [
'rgba(211, 47, 47, 0.8)',
'rgba(245, 124, 0, 0.8)',
'rgba(251, 192, 45, 0.8)',
'rgba(123, 31, 162, 0.8)'
],
borderColor: [
'rgba(211, 47, 47, 1)',
'rgba(245, 124, 0, 1)',
'rgba(251, 192, 45, 1)',
'rgba(123, 31, 162, 1)'
],
borderWidth: 1
}]
};
const chart = new Chart(ctx, {
type: 'doughnut',
data: severityData,
options: {
responsive: true,
plugins: {
title: {
display: true,
text: 'Vulnerability Distribution by Severity'
},
legend: {
position: 'bottom'
}
}
}
});
</script>
</body>
</html>
EOF
echo " [+] Vulnerability dashboard created: $dashboard_file"
}
# Function to setup continuous monitoring
setup_monitoring() {
local project_dir="$1"
local project_name="$2"
echo "[+] Setting up continuous monitoring"
local monitor_script="$OUTPUT_DIR/monitor_dependencies.sh"
cat > "$monitor_script" << EOF
#!/bin/bash
# Continuous dependency monitoring script
PROJECT_DIR="$project_dir"
PROJECT_NAME="$project_name"
MONITOR_DIR="\$(dirname "\$0")/monitoring"
ALERT_EMAIL="security@company.com"
mkdir -p "\$MONITOR_DIR"
# Run dependency check
dependency-check --scan "\$PROJECT_DIR" \\
--project "\$PROJECT_NAME" \\
--out "\$MONITOR_DIR" \\
--format JSON \\
--failOnCVSS $CVSS_THRESHOLD
# Check for new vulnerabilities
if [ -f "\$MONITOR_DIR/dependency-check-report.json" ]; then
VULN_COUNT=\$(jq '[.dependencies[].vulnerabilities[]] | length' "\$MONITOR_DIR/dependency-check-report.json" 2>/dev/null || echo 0)
if [ "\$VULN_COUNT" -gt 0 ]; then
echo "[\$(date)] \$VULN_COUNT vulnerabilities found in \$PROJECT_NAME" >> "\$MONITOR_DIR/monitoring.log"
# Send alert email (if mail is configured)
if command -v mail &> /dev/null && [ -n "\$ALERT_EMAIL" ]; then
echo "Dependency vulnerabilities detected in \$PROJECT_NAME. Check \$MONITOR_DIR for details." | \\
mail -s "Dependency Alert: \$PROJECT_NAME" "\$ALERT_EMAIL"
fi
else
echo "[\$(date)] No vulnerabilities found in \$PROJECT_NAME" >> "\$MONITOR_DIR/monitoring.log"
fi
fi
EOF
chmod +x "$monitor_script"
# Create cron job suggestion
cat > "$OUTPUT_DIR/cron_setup.txt" << EOF
To set up continuous monitoring, add this line to your crontab:
# Run dependency check daily at 2 AM
0 2 * * * $monitor_script
To edit crontab:
crontab -e
To view current crontab:
crontab -l
EOF
echo " [+] Monitoring script created: $monitor_script"
echo " [+] Cron setup instructions: $OUTPUT_DIR/cron_setup.txt"
}
# Main execution
echo "[+] Starting comprehensive dependency vulnerability scan"
echo "[+] Project directory: $PROJECT_DIR"
echo "[+] Output directory: $OUTPUT_DIR"
echo "[+] CVSS threshold: $CVSS_THRESHOLD"
# Check if dependency-check is available
if ! command -v dependency-check &> /dev/null; then
echo "[-] dependency-check not found. Please install OWASP Dependency-Check."
exit 1
fi
# Detect project types
PROJECT_TYPES=$(detect_project_type "$PROJECT_DIR")
if [ -z "$PROJECT_TYPES" ]; then
echo "[!] No recognized project types found, scanning all files"
PROJECT_TYPES="generic"
else
echo "[+] Detected project types: $PROJECT_TYPES"
fi
# Extract project name from directory
PROJECT_NAME=$(basename "$PROJECT_DIR")
# Run dependency check
if run_dependency_check "$PROJECT_DIR" "$PROJECT_NAME" "$OUTPUT_DIR"; then
echo "[+] Dependency check completed successfully"
# Analyze results
analyze_results "$OUTPUT_DIR" "$PROJECT_NAME"
# Generate remediation report
generate_remediation_report "$OUTPUT_DIR" "$PROJECT_NAME"
# Create dashboard
create_dashboard "$OUTPUT_DIR" "$PROJECT_NAME" "$PROJECT_TYPES"
# Setup monitoring
setup_monitoring "$PROJECT_DIR" "$PROJECT_NAME"
echo "[+] Comprehensive scan completed successfully"
echo "[+] Results saved in: $OUTPUT_DIR"
echo "[+] Open $OUTPUT_DIR/vulnerability_dashboard.html for overview"
echo "[+] Open $OUTPUT_DIR/dependency-check-report.html for detailed report"
else
echo "[-] Dependency check failed"
exit 1
fiCI/CD Integration Script
bash
#!/bin/bash
# CI/CD pipeline integration for dependency checking
PIPELINE_TYPE="$1" # jenkins, gitlab, github, azure
PROJECT_DIR="${2:-.}"
FAIL_ON_CVSS="${3:-7.0}"
if [ -z "$PIPELINE_TYPE" ]; then
echo "Usage: $0 <pipeline_type> [project_dir] [fail_on_cvss]"
echo "Pipeline types: jenkins, gitlab, github, azure"
exit 1
fi
# Function to generate Jenkins pipeline
generate_jenkins_pipeline() {
cat > Jenkinsfile << 'EOF'
pipeline {
agent any
environment {
DEPENDENCY_CHECK_HOME = '/opt/dependency-check'
}
stages {
stage('Checkout') {
steps {
checkout scm
}
}
stage('Dependency Check') {
steps {
script {
sh '''
${DEPENDENCY_CHECK_HOME}/bin/dependency-check.sh \
--scan . \
--project "${JOB_NAME}" \
--out dependency-check-reports \
--format ALL \
--failOnCVSS 7.0 \
--enableRetired \
--enableExperimental
'''
}
}
post {
always {
publishHTML([
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'dependency-check-reports',
reportFiles: 'dependency-check-report.html',
reportName: 'Dependency Check Report'
])
archiveArtifacts artifacts: 'dependency-check-reports/*', fingerprint: true
}
}
}
stage('Security Gate') {
steps {
script {
def reportFile = 'dependency-check-reports/dependency-check-report.json'
if (fileExists(reportFile)) {
def report = readJSON file: reportFile
def criticalVulns = 0
def highVulns = 0
report.dependencies.each { dep ->
dep.vulnerabilities.each { vuln ->
if (vuln.severity == 'CRITICAL') {
criticalVulns++
} else if (vuln.severity == 'HIGH') {
highVulns++
}
}
}
echo "Critical vulnerabilities: ${criticalVulns}"
echo "High vulnerabilities: ${highVulns}"
if (criticalVulns > 0) {
error("Build failed due to ${criticalVulns} critical vulnerabilities")
}
if (highVulns > 5) {
unstable("Build marked unstable due to ${highVulns} high vulnerabilities")
}
}
}
}
}
}
post {
failure {
emailext (
subject: "Dependency Check Failed: ${env.JOB_NAME} - ${env.BUILD_NUMBER}",
body: "The dependency check found critical vulnerabilities. Please check the report.",
to: "${env.CHANGE_AUTHOR_EMAIL}"
)
}
}
}
EOF
echo "[+] Jenkins pipeline generated: Jenkinsfile"
}
# Function to generate GitLab CI configuration
generate_gitlab_ci() {
cat > .gitlab-ci.yml << 'EOF'
stages:
- security
- deploy
variables:
DEPENDENCY_CHECK_VERSION: "8.4.3"
dependency_check:
stage: security
image: owasp/dependency-check:latest
script:
- /usr/share/dependency-check/bin/dependency-check.sh
--scan .
--project "$CI_PROJECT_NAME"
--out dependency-check-reports
--format ALL
--failOnCVSS 7.0
--enableRetired
--enableExperimental
artifacts:
reports:
dependency_scanning: dependency-check-reports/dependency-check-report.json
paths:
- dependency-check-reports/
expire_in: 1 week
allow_failure: false
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_MERGE_REQUEST_ID
security_gate:
stage: security
image: alpine:latest
dependencies:
- dependency_check
before_script:
- apk add --no-cache jq
script:
- |
if [ -f "dependency-check-reports/dependency-check-report.json" ]; then
CRITICAL_COUNT=$(jq '[.dependencies[].vulnerabilities[] | select(.severity == "CRITICAL")] | length' dependency-check-reports/dependency-check-report.json)
HIGH_COUNT=$(jq '[.dependencies[].vulnerabilities[] | select(.severity == "HIGH")] | length' dependency-check-reports/dependency-check-report.json)
echo "Critical vulnerabilities: $CRITICAL_COUNT"
echo "High vulnerabilities: $HIGH_COUNT"
if [ "$CRITICAL_COUNT" -gt 0 ]; then
echo "❌ Build failed due to $CRITICAL_COUNT critical vulnerabilities"
exit 1
fi
if [ "$HIGH_COUNT" -gt 5 ]; then
echo "⚠️ Warning: $HIGH_COUNT high vulnerabilities found"
fi
echo "✅ Security gate passed"
else
echo "❌ Dependency check report not found"
exit 1
fi
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_MERGE_REQUEST_ID
EOF
echo "[+] GitLab CI configuration generated: .gitlab-ci.yml"
}
# Function to generate GitHub Actions workflow
generate_github_actions() {
mkdir -p .github/workflows
cat > .github/workflows/dependency-check.yml << 'EOF'
name: Dependency Check
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
schedule:
- cron: '0 2 * * *' # Daily at 2 AM
jobs:
dependency-check:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Dependency Check
uses: dependency-check/Dependency-Check_Action@main
with:
project: ${{ github.repository }}
path: '.'
format: 'ALL'
args: >
--enableRetired
--enableExperimental
--failOnCVSS 7.0
- name: Upload results to GitHub Security
if: always()
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: reports/dependency-check-report.sarif
- name: Upload Dependency Check reports
if: always()
uses: actions/upload-artifact@v3
with:
name: dependency-check-reports
path: reports/
- name: Security Gate
if: always()
run: |
if [ -f "reports/dependency-check-report.json" ]; then
CRITICAL_COUNT=$(jq '[.dependencies[].vulnerabilities[] | select(.severity == "CRITICAL")] | length' reports/dependency-check-report.json)
HIGH_COUNT=$(jq '[.dependencies[].vulnerabilities[] | select(.severity == "HIGH")] | length' reports/dependency-check-report.json)
echo "Critical vulnerabilities: $CRITICAL_COUNT"
echo "High vulnerabilities: $HIGH_COUNT"
if [ "$CRITICAL_COUNT" -gt 0 ]; then
echo "❌ Build failed due to $CRITICAL_COUNT critical vulnerabilities"
exit 1
fi
if [ "$HIGH_COUNT" -gt 5 ]; then
echo "⚠️ Warning: $HIGH_COUNT high vulnerabilities found"
fi
echo "✅ Security gate passed"
else
echo "❌ Dependency check report not found"
exit 1
fi
- name: Comment PR
if: github.event_name == 'pull_request' && always()
uses: actions/github-script@v6
with:
script: |
const fs = require('fs');
const path = 'reports/dependency-check-report.json';
if (fs.existsSync(path)) {
const report = JSON.parse(fs.readFileSync(path, 'utf8'));
let criticalCount = 0;
let highCount = 0;
report.dependencies.forEach(dep => {
dep.vulnerabilities.forEach(vuln => {
if (vuln.severity === 'CRITICAL') criticalCount++;
if (vuln.severity === 'HIGH') highCount++;
});
});
const comment = `## 🔍 Dependency Check Results
- **Critical vulnerabilities:** ${criticalCount}
- **High vulnerabilities:** ${highCount}
- **Total dependencies:** ${report.dependencies.length}
${criticalCount > 0 ? '❌ **Action required:** Critical vulnerabilities found!' : '✅ No critical vulnerabilities found'}
[View detailed report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: comment
});
}
EOF
echo "[+] GitHub Actions workflow generated: .github/workflows/dependency-check.yml"
}
# Function to generate Azure DevOps pipeline
generate_azure_pipeline() {
cat > azure-pipelines.yml << 'EOF'
trigger:
branches:
include:
- main
- develop
pr:
branches:
include:
- main
schedules:
- cron: "0 2 * * *"
displayName: Daily dependency check
branches:
include:
- main
pool:
vmImage: 'ubuntu-latest'
variables:
dependencyCheckVersion: '8.4.3'
stages:
- stage: SecurityScan
displayName: 'Security Scanning'
jobs:
- job: DependencyCheck
displayName: 'Dependency Check'
steps:
- task: Bash@3
displayName: 'Download Dependency Check'
inputs:
targetType: 'inline'
script: |
wget https://github.com/jeremylong/DependencyCheck/releases/download/v$(dependencyCheckVersion)/dependency-check-$(dependencyCheckVersion)-release.zip
unzip dependency-check-$(dependencyCheckVersion)-release.zip
chmod +x dependency-check/bin/dependency-check.sh
- task: Bash@3
displayName: 'Run Dependency Check'
inputs:
targetType: 'inline'
script: |
./dependency-check/bin/dependency-check.sh \
--scan . \
--project "$(Build.Repository.Name)" \
--out dependency-check-reports \
--format ALL \
--failOnCVSS 7.0 \
--enableRetired \
--enableExperimental
- task: PublishTestResults@2
displayName: 'Publish Dependency Check Results'
condition: always()
inputs:
testResultsFormat: 'JUnit'
testResultsFiles: 'dependency-check-reports/dependency-check-junit.xml'
testRunTitle: 'Dependency Check'
- task: PublishHtmlReport@1
displayName: 'Publish HTML Report'
condition: always()
inputs:
reportDir: 'dependency-check-reports'
tabName: 'Dependency Check'
- task: Bash@3
displayName: 'Security Gate'
inputs:
targetType: 'inline'
script: |
if [ -f "dependency-check-reports/dependency-check-report.json" ]; then
CRITICAL_COUNT=$(jq '[.dependencies[].vulnerabilities[] | select(.severity == "CRITICAL")] | length' dependency-check-reports/dependency-check-report.json)
HIGH_COUNT=$(jq '[.dependencies[].vulnerabilities[] | select(.severity == "HIGH")] | length' dependency-check-reports/dependency-check-report.json)
echo "Critical vulnerabilities: $CRITICAL_COUNT"
echo "High vulnerabilities: $HIGH_COUNT"
if [ "$CRITICAL_COUNT" -gt 0 ]; then
echo "##vso[task.logissue type=error]Build failed due to $CRITICAL_COUNT critical vulnerabilities"
exit 1
fi
if [ "$HIGH_COUNT" -gt 5 ]; then
echo "##vso[task.logissue type=warning]$HIGH_COUNT high vulnerabilities found"
fi
echo "Security gate passed"
else
echo "##vso[task.logissue type=error]Dependency check report not found"
exit 1
fi
- task: PublishBuildArtifacts@1
displayName: 'Publish Artifacts'
condition: always()
inputs:
pathToPublish: 'dependency-check-reports'
artifactName: 'dependency-check-reports'
EOF
echo "[+] Azure DevOps pipeline generated: azure-pipelines.yml"
}
# Main execution
echo "[+] Generating CI/CD integration for $PIPELINE_TYPE"
echo "[+] Project directory: $PROJECT_DIR"
echo "[+] CVSS threshold: $FAIL_ON_CVSS"
case "$PIPELINE_TYPE" in
"jenkins")
generate_jenkins_pipeline
;;
"gitlab")
generate_gitlab_ci
;;
"github")
generate_github_actions
;;
"azure")
generate_azure_pipeline
;;
*)
echo "[-] Unknown pipeline type: $PIPELINE_TYPE"
echo "Supported types: jenkins, gitlab, github, azure"
exit 1
;;
esac
echo "[+] CI/CD integration files generated successfully"
echo "[+] Remember to:"
echo " 1. Adjust CVSS thresholds based on your security requirements"
echo " 2. Configure notification settings (email, Slack, etc.)"
echo " 3. Set up proper artifact storage and retention policies"
echo " 4. Test the pipeline in a development environment first"Vulnerability Tracking System
bash
#!/bin/bash
# Vulnerability tracking and management system
TRACKING_DB="vulnerability_tracking.db"
PROJECT_NAME="$1"
SCAN_RESULTS="$2"
if [ -z "$PROJECT_NAME" ] || [ -z "$SCAN_RESULTS" ]; then
echo "Usage: $0 <project_name> <scan_results_json>"
exit 1
fi
# Function to initialize tracking database
init_database() {
echo "[+] Initializing vulnerability tracking database"
sqlite3 "$TRACKING_DB" << 'EOF'
CREATE TABLE IF NOT EXISTS projects (
id INTEGER PRIMARY KEY AUTOINCREMENT,
name TEXT UNIQUE NOT NULL,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP
);
CREATE TABLE IF NOT EXISTS scans (
id INTEGER PRIMARY KEY AUTOINCREMENT,
project_id INTEGER,
scan_date DATETIME DEFAULT CURRENT_TIMESTAMP,
total_dependencies INTEGER,
vulnerable_dependencies INTEGER,
total_vulnerabilities INTEGER,
critical_count INTEGER,
high_count INTEGER,
medium_count INTEGER,
low_count INTEGER,
FOREIGN KEY (project_id) REFERENCES projects (id)
);
CREATE TABLE IF NOT EXISTS vulnerabilities (
id INTEGER PRIMARY KEY AUTOINCREMENT,
scan_id INTEGER,
cve_id TEXT,
severity TEXT,
score REAL,
dependency_name TEXT,
dependency_version TEXT,
description TEXT,
status TEXT DEFAULT 'open',
assigned_to TEXT,
due_date DATE,
notes TEXT,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
updated_at DATETIME DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (scan_id) REFERENCES scans (id)
);
CREATE TABLE IF NOT EXISTS remediation_actions (
id INTEGER PRIMARY KEY AUTOINCREMENT,
vulnerability_id INTEGER,
action_type TEXT,
description TEXT,
implemented BOOLEAN DEFAULT FALSE,
implementation_date DATETIME,
verified BOOLEAN DEFAULT FALSE,
verification_date DATETIME,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (vulnerability_id) REFERENCES vulnerabilities (id)
);
EOF
echo " [+] Database initialized: $TRACKING_DB"
}
# Function to import scan results
import_scan_results() {
local project_name="$1"
local results_file="$2"
echo "[+] Importing scan results for $project_name"
if [ ! -f "$results_file" ]; then
echo "[-] Results file not found: $results_file"
return 1
fi
# Insert or get project
local project_id=$(sqlite3 "$TRACKING_DB" "INSERT OR IGNORE INTO projects (name) VALUES ('$project_name'); SELECT id FROM projects WHERE name = '$project_name';")
# Parse scan results
if command -v jq &> /dev/null; then
local total_deps=$(jq '.dependencies | length' "$results_file")
local vulnerable_deps=$(jq '[.dependencies[] | select(.vulnerabilities | length > 0)] | length' "$results_file")
local total_vulns=$(jq '[.dependencies[].vulnerabilities[]] | length' "$results_file")
local critical_count=$(jq '[.dependencies[].vulnerabilities[] | select(.severity == "CRITICAL")] | length' "$results_file")
local high_count=$(jq '[.dependencies[].vulnerabilities[] | select(.severity == "HIGH")] | length' "$results_file")
local medium_count=$(jq '[.dependencies[].vulnerabilities[] | select(.severity == "MEDIUM")] | length' "$results_file")
local low_count=$(jq '[.dependencies[].vulnerabilities[] | select(.severity == "LOW")] | length' "$results_file")
# Insert scan record
local scan_id=$(sqlite3 "$TRACKING_DB" "INSERT INTO scans (project_id, total_dependencies, vulnerable_dependencies, total_vulnerabilities, critical_count, high_count, medium_count, low_count) VALUES ($project_id, $total_deps, $vulnerable_deps, $total_vulns, $critical_count, $high_count, $medium_count, $low_count); SELECT last_insert_rowid();")
echo " [+] Scan record created with ID: $scan_id"
# Import individual vulnerabilities
jq -r '.dependencies[] | select(.vulnerabilities | length > 0) | .fileName as $dep | .vulnerabilities[] | [$dep, .name, .severity, .cvssv3.baseScore // .cvssv2.score // 0, .description] | @csv' "$results_file" | while IFS=',' read -r dep_name cve_id severity score description; do
# Clean up CSV fields
dep_name=$(echo "$dep_name" | tr -d '"')
cve_id=$(echo "$cve_id" | tr -d '"')
severity=$(echo "$severity" | tr -d '"')
description=$(echo "$description" | tr -d '"' | head -c 500) # Limit description length
sqlite3 "$TRACKING_DB" "INSERT INTO vulnerabilities (scan_id, cve_id, severity, score, dependency_name, description) VALUES ($scan_id, '$cve_id', '$severity', $score, '$dep_name', '$description');"
done
echo " [+] Imported $total_vulns vulnerabilities"
else
echo "[-] jq not available for parsing JSON results"
return 1
fi
}
# Function to generate tracking report
generate_tracking_report() {
local project_name="$1"
local report_file="vulnerability_tracking_report.html"
echo "[+] Generating vulnerability tracking report"
cat > "$report_file" << EOF
<!DOCTYPE html>
<html>
<head>
<title>Vulnerability Tracking Report - $project_name</title>
<style>
body { font-family: Arial, sans-serif; margin: 20px; }
.header { background-color: #f0f0f0; padding: 20px; border-radius: 5px; }
.section { margin: 20px 0; padding: 15px; border: 1px solid #ddd; border-radius: 5px; }
.critical { background-color: #ffebee; border-color: #f44336; }
.high { background-color: #fff3e0; border-color: #ff9800; }
.medium { background-color: #fff8e1; border-color: #ffc107; }
.low { background-color: #f3e5f5; border-color: #9c27b0; }
table { border-collapse: collapse; width: 100%; }
th, td { border: 1px solid #ddd; padding: 8px; text-align: left; }
th { background-color: #f2f2f2; }
.status-open { color: #d32f2f; font-weight: bold; }
.status-in-progress { color: #f57c00; font-weight: bold; }
.status-resolved { color: #388e3c; font-weight: bold; }
.chart { margin: 20px 0; text-align: center; }
</style>
<script src="https://cdn.jsdelivr.net/npm/chart.js"></script>
</head>
<body>
<div class="header">
<h1>📊 Vulnerability Tracking Report</h1>
<p><strong>Project:</strong> $project_name</p>
<p><strong>Generated:</strong> $(date)</p>
</div>
EOF
# Add scan history
cat >> "$report_file" << EOF
<div class="section">
<h2>📈 Scan History</h2>
<table>
<tr><th>Scan Date</th><th>Total Deps</th><th>Vulnerable Deps</th><th>Critical</th><th>High</th><th>Medium</th><th>Low</th></tr>
EOF
sqlite3 "$TRACKING_DB" "SELECT scan_date, total_dependencies, vulnerable_dependencies, critical_count, high_count, medium_count, low_count FROM scans s JOIN projects p ON s.project_id = p.id WHERE p.name = '$project_name' ORDER BY scan_date DESC LIMIT 10;" | while IFS='|' read -r scan_date total_deps vuln_deps critical high medium low; do
cat >> "$report_file" << EOF
<tr><td>$scan_date</td><td>$total_deps</td><td>$vuln_deps</td><td>$critical</td><td>$high</td><td>$medium</td><td>$low</td></tr>
EOF
done
cat >> "$report_file" << EOF
</table>
</div>
EOF
# Add current vulnerabilities by severity
for severity in CRITICAL HIGH MEDIUM LOW; do
local css_class=$(echo $severity | tr '[:upper:]' '[:lower:]')
cat >> "$report_file" << EOF
<div class="section $css_class">
<h2>🔴 $severity Severity Vulnerabilities</h2>
<table>
<tr><th>CVE ID</th><th>Dependency</th><th>Score</th><th>Status</th><th>Assigned To</th><th>Due Date</th></tr>
EOF
sqlite3 "$TRACKING_DB" "SELECT v.cve_id, v.dependency_name, v.score, v.status, v.assigned_to, v.due_date FROM vulnerabilities v JOIN scans s ON v.scan_id = s.id JOIN projects p ON s.project_id = p.id WHERE p.name = '$project_name' AND v.severity = '$severity' AND v.status != 'resolved' ORDER BY v.score DESC;" | while IFS='|' read -r cve_id dep_name score status assigned_to due_date; do
local status_class="status-$(echo $status | tr ' ' '-')"
cat >> "$report_file" << EOF
<tr><td>$cve_id</td><td>$dep_name</td><td>$score</td><td class="$status_class">$status</td><td>$assigned_to</td><td>$due_date</td></tr>
EOF
done
cat >> "$report_file" << EOF
</table>
</div>
EOF
done
cat >> "$report_file" << EOF
</body>
</html>
EOF
echo " [+] Tracking report generated: $report_file"
}
# Function to manage vulnerability status
manage_vulnerability() {
local action="$1"
local cve_id="$2"
local value="$3"
case "$action" in
"assign")
sqlite3 "$TRACKING_DB" "UPDATE vulnerabilities SET assigned_to = '$value', updated_at = CURRENT_TIMESTAMP WHERE cve_id = '$cve_id';"
echo "[+] Assigned $cve_id to $value"
;;
"status")
sqlite3 "$TRACKING_DB" "UPDATE vulnerabilities SET status = '$value', updated_at = CURRENT_TIMESTAMP WHERE cve_id = '$cve_id';"
echo "[+] Updated $cve_id status to $value"
;;
"due")
sqlite3 "$TRACKING_DB" "UPDATE vulnerabilities SET due_date = '$value', updated_at = CURRENT_TIMESTAMP WHERE cve_id = '$cve_id';"
echo "[+] Set due date for $cve_id to $value"
;;
"note")
sqlite3 "$TRACKING_DB" "UPDATE vulnerabilities SET notes = '$value', updated_at = CURRENT_TIMESTAMP WHERE cve_id = '$cve_id';"
echo "[+] Added note to $cve_id"
;;
*)
echo "Unknown action: $action"
echo "Available actions: assign, status, due, note"
;;
esac
}
# Function to show vulnerability statistics
show_statistics() {
local project_name="$1"
echo "[+] Vulnerability Statistics for $project_name"
echo "=============================================="
# Latest scan statistics
sqlite3 "$TRACKING_DB" "SELECT 'Latest Scan:', scan_date FROM scans s JOIN projects p ON s.project_id = p.id WHERE p.name = '$project_name' ORDER BY scan_date DESC LIMIT 1;"
sqlite3 "$TRACKING_DB" "SELECT 'Total Dependencies:', total_dependencies FROM scans s JOIN projects p ON s.project_id = p.id WHERE p.name = '$project_name' ORDER BY scan_date DESC LIMIT 1;"
sqlite3 "$TRACKING_DB" "SELECT 'Vulnerable Dependencies:', vulnerable_dependencies FROM scans s JOIN projects p ON s.project_id = p.id WHERE p.name = '$project_name' ORDER BY scan_date DESC LIMIT 1;"
echo ""
echo "Vulnerabilities by Severity:"
sqlite3 "$TRACKING_DB" "SELECT severity, COUNT(*) FROM vulnerabilities v JOIN scans s ON v.scan_id = s.id JOIN projects p ON s.project_id = p.id WHERE p.name = '$project_name' AND v.status != 'resolved' GROUP BY severity ORDER BY CASE severity WHEN 'CRITICAL' THEN 1 WHEN 'HIGH' THEN 2 WHEN 'MEDIUM' THEN 3 WHEN 'LOW' THEN 4 END;"
echo ""
echo "Vulnerabilities by Status:"
sqlite3 "$TRACKING_DB" "SELECT status, COUNT(*) FROM vulnerabilities v JOIN scans s ON v.scan_id = s.id JOIN projects p ON s.project_id = p.id WHERE p.name = '$project_name' GROUP BY status;"
echo ""
echo "Top 10 Most Vulnerable Dependencies:"
sqlite3 "$TRACKING_DB" "SELECT dependency_name, COUNT(*) as vuln_count FROM vulnerabilities v JOIN scans s ON v.scan_id = s.id JOIN projects p ON s.project_id = p.id WHERE p.name = '$project_name' AND v.status != 'resolved' GROUP BY dependency_name ORDER BY vuln_count DESC LIMIT 10;"
}
# Main execution
echo "[+] OWASP Dependency-Check Vulnerability Tracking System"
# Initialize database
init_database
# Import scan results
if [ -f "$SCAN_RESULTS" ]; then
import_scan_results "$PROJECT_NAME" "$SCAN_RESULTS"
else
echo "[-] Scan results file not found: $SCAN_RESULTS"
fi
# Generate tracking report
generate_tracking_report "$PROJECT_NAME"
# Show statistics
show_statistics "$PROJECT_NAME"
echo ""
echo "Vulnerability Management Commands:"
echo "=================================="
echo "Assign vulnerability: $0 manage assign CVE-2023-1234 'john.doe@company.com'"
echo "Update status: $0 manage status CVE-2023-1234 'in-progress'"
echo "Set due date: $0 manage due CVE-2023-1234 '2024-01-15'"
echo "Add note: $0 manage note CVE-2023-1234 'Patch available in v2.1.0'"
echo ""
echo "Available statuses: open, in-progress, resolved, false-positive, accepted-risk"Integration with Other Tools
SonarQube Integration
bash
# Configure SonarQube with Dependency-Check
sonar.dependencyCheck.reportPath=dependency-check-report.xml
sonar.dependencyCheck.htmlReportPath=dependency-check-report.html
# Run dependency check before SonarQube analysis
dependency-check --scan . --format XML --out .
sonar-scannerJIRA Integration
bash
# Create JIRA tickets for vulnerabilities
curl -X POST \
-H "Content-Type: application/json" \
-u username:password \
-d '{
"fields": {
"project": {"key": "SEC"},
"summary": "Vulnerability: CVE-2023-1234",
"description": "Critical vulnerability found in dependency",
"issuetype": {"name": "Bug"},
"priority": {"name": "Critical"}
}
}' \
https://company.atlassian.net/rest/api/2/issue/Slack Integration
bash
# Send vulnerability alerts to Slack
curl -X POST -H 'Content-type: application/json' \
--data '{"text":"🚨 Critical vulnerabilities found in MyProject"}' \
https://hooks.slack.com/services/YOUR/SLACK/WEBHOOKTroubleshooting
Common Issues
Database Update Problems
bash
# Update NVD database manually
dependency-check --updateonly
# Use specific database location
dependency-check --data /opt/dependency-check-data --updateonly
# Check database status
dependency-check --scan . --out . -v | grep -i databaseFalse Positives
bash
# Create suppression file
cat > suppressions.xml << 'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes>False positive - not applicable</notes>
<filePath regex="true">.*jquery.*</filePath>
<cve>CVE-2019-11358</cve>
</suppress>
</suppressions>
EOF
# Use suppression file
dependency-check --scan . --suppression suppressions.xml --out .Performance Issues
bash
# Increase memory allocation
export JAVA_OPTS="-Xmx4g"
dependency-check --scan . --out .
# Use local database
dependency-check --data ./dependency-check-data --scan . --out .
# Disable specific analyzers
dependency-check --scan . --disableAssembly --disableAutoconf --out .Network Issues
bash
# Use proxy settings
dependency-check --scan . --proxyserver proxy.company.com --proxyport 8080 --out .
# Use NVD API key to avoid rate limiting
dependency-check --scan . --nvdApiKey YOUR_API_KEY --out .
# Work offline (requires pre-downloaded database)
dependency-check --scan . --noupdate --out .Performance Optimization
bash
# Optimize for large projects
dependency-check --scan . \
--enableRetired false \
--enableExperimental false \
--disableOssIndex \
--out .
# Use parallel processing
dependency-check --scan . --threads 4 --out .
# Cache database for multiple scans
export DC_DATA_DIR=/opt/dependency-check-data
dependency-check --data $DC_DATA_DIR --scan . --out .Resources
- OWASP Dependency-Check Official Site
- Dependency-Check GitHub Repository
- National Vulnerability Database
- Common Vulnerability Scoring System
- Software Composition Analysis Guide
- OWASP Top 10 - Using Components with Known Vulnerabilities
- Dependency-Check Jenkins Plugin
This cheat sheet provides a comprehensive reference for using OWASP Dependency-Check for software composition analysis and vulnerability management. Always ensure you have proper authorization before scanning third-party dependencies and follow your organization's security policies for vulnerability remediation.