OWASP Abhängigkeitsprüfung Cheat Blatt
Überblick
OWASP Dependency-Check ist ein Software Composition Analysis (SCA) Tool, das versucht, öffentlich offenbarte Schwachstellen in den Abhängigkeiten eines Projekts zu erkennen. Dies geschieht, indem festgestellt wird, ob für eine bestimmte Abhängigkeit eine gemeinsame Plattform-Enumeration (CPE)-Kennung vorliegt, und wenn gefunden, wird sie einen Bericht erstellen, der mit den zugehörigen Common Vulnerability and Exposure (CVE)-Einträgen verknüpft ist. Dependance-Check unterstützt Java, .NET, JavaScript, Python, Ruby, PHP und viele andere Ökosysteme, so dass es ein wesentliches Werkzeug zur Identifizierung bekannter Schwachstellen in Drittkomponenten und Bibliotheken, die in Softwareprojekten verwendet werden.
ZEIT Important: Dependency-Check identifiziert bekannte Schwachstellen, kann aber keine Null-Tage Schwachstellen oder benutzerdefinierte Code Schwachstellen erkennen. Es sollte als Teil einer umfassenden Sicherheitsteststrategie neben statischer Analyse, dynamischer Prüfung und manueller Codeüberprüfung verwendet werden.
Installation
Installation der Kommandozeile
Java/JAR Installation
```bash
Download latest release
wget https://github.com/jeremylong/DependencyCheck/releases/download/v8.4.3/dependency-check-8.4.3-release.zip
Extract
unzip dependency-check-8.4.3-release.zip
Add to PATH
export PATH=$PATH:$(pwd)/dependency-check/bin
Verify installation
dependency-check.sh --version
Create permanent alias
echo 'export PATH=$PATH:/path/to/dependency-check/bin' >> ~/.bashrc source ~/.bashrc ```_
Docker Installation
```bash
Pull official Docker image
docker pull owasp/dependency-check
Run basic scan
docker run --rm -v $(pwd):/src owasp/dependency-check --scan /src --format ALL
Create alias for easier usage
echo 'alias dependency-check="docker run --rm -v \$(pwd):/src owasp/dependency-check"' >> ~/.bashrc source ~/.bashrc
Run with custom output directory
docker run --rm -v $(pwd):/src -v $(pwd)/reports:/reports owasp/dependency-check --scan /src --out /reports ```_
Installation des Paketmanagers
Ubuntu/Debian
```bash
Install via snap
sudo snap install dependency-check
Verify installation
dependency-check --version
Alternative: Install via apt (if available)
sudo apt update sudo apt install dependency-check ```_
macOS
```bash
Install via Homebrew
brew install dependency-check
Verify installation
dependency-check --version
Update to latest version
brew upgrade dependency-check ```_
Windows
```bash
Download Windows release
https://github.com/jeremylong/DependencyCheck/releases
Extract to desired location
Add bin directory to PATH environment variable
Verify installation
dependency-check.bat --version ```_
Integration von Werkzeugen
Maven Plugin
```xml
Bild und Bild
```groovy // Add to build.gradle plugins \\{ id 'org.owasp.dependencycheck' version '8.4.3' \\}
dependencyCheck \\{ failBuildOnCVSS = 7 format = 'ALL' suppressionFile = 'dependency-check-suppressions.xml' \\}
// Run scan // ./gradlew dependencyCheckAnalyze ```_
SBT Plugins
```scala // Add to project/plugins.sbt addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % "4.1.0")
// Add to build.sbt dependencyCheckFailBuildOnCVSS := Some(7.0f) dependencyCheckFormat := "ALL" ```_
Aufgaben
```xml
Basisnutzung
Einfache Scans
```bash
Basic project scan
dependency-check --scan ./src --out ./reports
Scan with project name
dependency-check --scan ./src --project "MyProject" --out ./reports
Scan multiple directories
dependency-check --scan ./src --scan ./lib --scan ./vendor --out ./reports
Scan with specific formats
dependency-check --scan ./src --format HTML --format JSON --format XML --out ./reports
Scan with all formats
dependency-check --scan ./src --format ALL --out ./reports ```_
Erweiterte Scanoptionen
```bash
Scan with CVSS threshold
dependency-check --scan ./src --failOnCVSS 7 --out ./reports
Scan with custom database location
dependency-check --scan ./src --data ./dependency-check-data --out ./reports
Scan with suppression file
dependency-check --scan ./src --suppression suppressions.xml --out ./reports
Scan with custom NVD API key
dependency-check --scan ./src --nvdApiKey YOUR_API_KEY --out ./reports
Verbose output
dependency-check --scan ./src --out ./reports -v
Debug output
dependency-check --scan ./src --out ./reports -d ```_
Sprach-Specific Scans
```bash
Java/Maven project
dependency-check --scan ./pom.xml --out ./reports
Node.js project
dependency-check --scan ./package.json --scan ./package-lock.json --out ./reports
Python project
dependency-check --scan ./requirements.txt --scan ./Pipfile.lock --out ./reports
.NET project
dependency-check --scan ./*.csproj --scan ./packages.config --out ./reports
Ruby project
dependency-check --scan ./Gemfile.lock --out ./reports
PHP project
dependency-check --scan ./composer.lock --out ./reports
Go project
dependency-check --scan ./go.mod --scan ./go.sum --out ./reports ```_
Konfiguration und Anpassung
Datei konfigurieren
```bash
Create configuration file
cat > dependency-check.properties << 'EOF'
Database settings
data.directory=/opt/dependency-check-data database.driver.name=org.h2.Driver database.driver.path=/opt/dependency-check/h2-2.1.214.jar
NVD settings
nvd.api.key=YOUR_NVD_API_KEY nvd.api.delay=4000
Analyzer settings
analyzer.jar.enabled=true analyzer.node.js.enabled=true analyzer.python.enabled=true analyzer.ruby.enabled=true analyzer.php.enabled=true analyzer.dotnet.enabled=true
Report settings
format=ALL failOnCVSS=7
Suppression settings
suppression.file=suppressions.xml EOF
Use configuration file
dependency-check --propertyfile dependency-check.properties --scan ./src --out ./reports ```_
Suppression File
```xml
<suppress>
<notes>False positive - this vulnerability doesn't apply to our usage</notes>
<filePath regex="true">.*jquery-3\.2\.1\.min\.js</filePath>
<cve>CVE-2019-11358</cve>
</suppress>
<suppress>
<notes>Legacy library - vulnerabilities accepted as risk</notes>
<filePath regex="true">.*legacy-lib-1\.0\.jar</filePath>
</suppress>
<suppress>
<notes>Not applicable to our environment</notes>
<cpe>cpe:/a:apache:struts:2.3.20</cpe>
<cve>CVE-2014-0094</cve>
</suppress>
<suppress until="2024-12-31">
<notes>Temporary suppression - fix scheduled</notes>
<filePath regex="true">.*vulnerable-component.*</filePath>
<cvssBelow>4.0</cvssBelow>
</suppress>
<suppress>
<notes>XSS not applicable in server-side context</notes>
<filePath regex="true">.*server-side-lib.*</filePath>
<vulnerabilityName regex="true">.*Cross-site Scripting.*</vulnerabilityName>
</suppress>
```_
Individuelle Analyzer
```bash
Enable/disable specific analyzers
dependency-check --scan ./src \ --enableRetired \ --enableExperimental \ --disableAssembly \ --disableAutoconf \ --out ./reports
Configure analyzer-specific settings
dependency-check --scan ./src \ --nodePackage ./package.json \ --nodeAuditSkipDevDependencies \ --bundleAuditPath /usr/local/bin/bundle-audit \ --out ./reports ```_
Automatisierungsskripte
Umfassender Projektscanner
```bash
!/bin/bash
Comprehensive dependency vulnerability scanner
PROJECT_DIR="$1" OUTPUT_DIR="dependency_scan_$(date +%Y%m%d_%H%M%S)" CVSS_THRESHOLD=7.0 SUPPRESSION_FILE="suppressions.xml"
if [ -z "$PROJECT_DIR" ]; then
echo "Usage: $0
if [ ! -d "$PROJECT_DIR" ]; then echo "Error: Project directory not found: $PROJECT_DIR" exit 1 fi
mkdir -p "$OUTPUT_DIR"
Function to detect project type
detect_project_type() \\{ local project_dir="$1" local project_types=()
# Java/Maven
if [ -f "$project_dir/pom.xml" ]; then
project_types+=("maven")
fi
# Java/Gradle
| if [ -f "$project_dir/build.gradle" ] | | [ -f "$project_dir/build.gradle.kts" ]; then | project_types+=("gradle") fi
# Node.js
if [ -f "$project_dir/package.json" ]; then
project_types+=("nodejs")
fi
# Python
| if [ -f "$project_dir/requirements.txt" ] | | [ -f "$project_dir/Pipfile" ] | | [ -f "$project_dir/setup.py" ]; then | project_types+=("python") fi
# .NET
if find "$project_dir" -name "*.csproj" -o -name "*.vbproj" -o -name "*.fsproj"|grep -q .; then
project_types+=("dotnet")
fi
# Ruby
if [ -f "$project_dir/Gemfile" ]; then
project_types+=("ruby")
fi
# PHP
if [ -f "$project_dir/composer.json" ]; then
project_types+=("php")
fi
# Go
if [ -f "$project_dir/go.mod" ]; then
project_types+=("go")
fi
echo "$\\\\{project_types[@]\\\\}"
\\}
Function to run dependency check
run_dependency_check() \\{ local scan_dir="$1" local project_name="$2" local output_dir="$3"
echo "[+] Running dependency check for $project_name"
local cmd="dependency-check"
local args=(
"--scan" "$scan_dir"
"--project" "$project_name"
"--out" "$output_dir"
"--format" "ALL"
"--failOnCVSS" "$CVSS_THRESHOLD"
"--enableRetired"
"--enableExperimental"
)
# Add suppression file if it exists
if [ -f "$SUPPRESSION_FILE" ]; then
args+=("--suppression" "$SUPPRESSION_FILE")
fi
# Add NVD API key if available
if [ -n "$NVD_API_KEY" ]; then
args+=("--nvdApiKey" "$NVD_API_KEY")
fi
# Run the scan
"$cmd" "$\\\\{args[@]\\\\}" 2>&1|tee "$output_dir/scan.log"
return $\\\\{PIPESTATUS[0]\\\\}
\\}
Function to analyze results
analyze_results() \\{ local output_dir="$1" local project_name="$2"
echo "[+] Analyzing scan results"
local json_report="$output_dir/dependency-check-report.json"
local analysis_file="$output_dir/vulnerability_analysis.txt"
if [ ! -f "$json_report" ]; then
echo "[-] JSON report not found: $json_report"
return 1
fi
# Extract vulnerability statistics
cat > "$analysis_file" << EOF
Dependency Vulnerability Analysis
Project: $project_name Scan Date: $(date) Output Directory: $output_dir
Vulnerability Summary: EOF
# Parse JSON report for statistics
if command -v jq &> /dev/null; then
echo " [+] Parsing JSON report with jq"
| local total_deps=$(jq '.dependencies | length' "$json_report" 2>/dev/null | | echo 0) | | local vulnerable_deps=$(jq '[.dependencies[] | select(.vulnerabilities | length > 0)] | length' "$json_report" 2>/dev/null | | echo 0) | | local total_vulns=$(jq '[.dependencies[].vulnerabilities[]] | length' "$json_report" 2>/dev/null | | echo 0) |
cat >> "$analysis_file" << EOF
- Total Dependencies: $total_deps
- Vulnerable Dependencies: $vulnerable_deps
- Total Vulnerabilities: $total_vulns
Vulnerability Breakdown by Severity: EOF
# Count vulnerabilities by severity
| jq -r '.dependencies[].vulnerabilities[] | .severity' "$json_report" 2>/dev/null | sort | uniq -c | while read count severity; do | echo "- $severity: $count" >> "$analysis_file" done
# High severity vulnerabilities
echo "" >> "$analysis_file"
echo "High Severity Vulnerabilities:" >> "$analysis_file"
| jq -r '.dependencies[] | select(.vulnerabilities[] | .severity == "HIGH") | .fileName + " - " + (.vulnerabilities[] | select(.severity == "HIGH") | .name)' "$json_report" 2>/dev/null >> "$analysis_file" |
# Critical severity vulnerabilities
echo "" >> "$analysis_file"
echo "Critical Severity Vulnerabilities:" >> "$analysis_file"
| jq -r '.dependencies[] | select(.vulnerabilities[] | .severity == "CRITICAL") | .fileName + " - " + (.vulnerabilities[] | select(.severity == "CRITICAL") | .name)' "$json_report" 2>/dev/null >> "$analysis_file" |
else
echo " [!] jq not available, using basic analysis"
# Basic grep-based analysis
| grep -o '"severity":"[^"]*"' "$json_report" | cut -d'"' -f4 | sort | uniq -c >> "$analysis_file" | fi
echo " [+] Analysis completed: $analysis_file"
\\}
Function to generate remediation report
generate_remediation_report() \\{ local output_dir="$1" local project_name="$2"
echo "[+] Generating remediation report"
local json_report="$output_dir/dependency-check-report.json"
local remediation_file="$output_dir/remediation_report.txt"
if [ ! -f "$json_report" ]; then
echo "[-] JSON report not found for remediation analysis"
return 1
fi
cat > "$remediation_file" << EOF
Dependency Vulnerability Remediation Report
Project: $project_name Generated: $(date)
Recommended Actions: EOF
if command -v jq &> /dev/null; then
# Extract vulnerable dependencies with remediation info
| jq -r '.dependencies[] | select(.vulnerabilities | length > 0) | | "Dependency: " + .fileName + | "\nVulnerabilities: " + (.vulnerabilities | length | tostring) + | "\nHighest Severity: " + ([.vulnerabilities[].severity]|max) + "\nRecommendation: Update to latest version or find alternative\n---"' "$json_report" >> "$remediation_file" fi
cat >> "$remediation_file" << EOF
General Remediation Steps: 1. Update vulnerable dependencies to latest versions 2. Check for security patches from vendors 3. Consider alternative libraries if updates unavailable 4. Implement additional security controls if updates not possible 5. Add suppressions for false positives with proper justification
Next Steps: 1. Review each vulnerable dependency 2. Check for available updates 3. Test updates in development environment 4. Plan deployment of security updates 5. Monitor for new vulnerabilities EOF
echo " [+] Remediation report generated: $remediation_file"
\\}
Function to create HTML dashboard
create_dashboard() \\{ local output_dir="$1" local project_name="$2" local project_types="$3"
echo "[+] Creating vulnerability dashboard"
local dashboard_file="$output_dir/vulnerability_dashboard.html"
local json_report="$output_dir/dependency-check-report.json"
cat > "$dashboard_file" << EOF
🔍 Dependency Vulnerability Dashboard
Project: $project_name
Project Types: $project_types
Scan Date: $(date)
CVSS Threshold: $CVSS_THRESHOLD
📊 Vulnerability Summary
| Metric | Count | Percentage |
|---|---|---|
| Total Dependencies | $total_deps | 100% |
| Vulnerable Dependencies | $vulnerable_deps | $(echo "scale=1; $vulnerable_deps * 100 / $total_deps" | bc -l 2>/dev/null | | echo "N/A")% |
| Total Vulnerabilities | $total_vulns | - |
📈 Vulnerability Distribution
🎯 Vulnerabilities by Severity
| Severity | Count | Action Required |
|---|---|---|
| $severity | $count | $action |
📁 Generated Reports
🔧 Recommended Actions
- Review Critical and High Severity Vulnerabilities: Address these immediately
- Update Dependencies: Check for available updates for vulnerable components
- Assess Risk: Evaluate the actual risk based on your application's usage
- Implement Mitigations: Apply security controls if updates are not available
- Monitor Continuously: Set up regular scans to catch new vulnerabilities
EOF
echo " [+] Vulnerability dashboard created: $dashboard_file"
\\}
Function to setup continuous monitoring
setup_monitoring() \\{ local project_dir="$1" local project_name="$2"
echo "[+] Setting up continuous monitoring"
local monitor_script="$OUTPUT_DIR/monitor_dependencies.sh"
cat > "$monitor_script" ``<< EOF
!/bin/bash
Continuous dependency monitoring script
PROJECT_DIR="$project_dir" PROJECT_NAME="$project_name" MONITOR_DIR="\$(dirname "\$0")/monitoring" ALERT_EMAIL="security@company.com"
mkdir -p "\$MONITOR_DIR"
Run dependency check
dependency-check --scan "\$PROJECT_DIR" \ --project "\$PROJECT_NAME" \ --out "\$MONITOR_DIR" \ --format JSON \ --failOnCVSS $CVSS_THRESHOLD
Check for new vulnerabilities
if [ -f "\$MONITOR_DIR/dependency-check-report.json" ]; then | VULN_COUNT=\$(jq '[.dependencies[].vulnerabilities[]] | length' "\$MONITOR_DIR/dependency-check-report.json" 2>``/dev/null | | echo 0) |
if [ "\$VULN_COUNT" -gt 0 ]; then
echo "[\$(date)] \$VULN_COUNT vulnerabilities found in \$PROJECT_NAME" >> "\$MONITOR_DIR/monitoring.log"
# Send alert email (if mail is configured)
if command -v mail &> /dev/null && [ -n "\$ALERT_EMAIL" ]; then
echo "Dependency vulnerabilities detected in \$PROJECT_NAME. Check \$MONITOR_DIR for details."|\\
mail -s "Dependency Alert: \$PROJECT_NAME" "\$ALERT_EMAIL"
fi
else
echo "[\$(date)] No vulnerabilities found in \$PROJECT_NAME" >> "\$MONITOR_DIR/monitoring.log"
fi
fi EOF
chmod +x "$monitor_script"
# Create cron job suggestion
cat > "$OUTPUT_DIR/cron_setup.txt" << EOF
To set up continuous monitoring, add this line to your crontab:
Run dependency check daily at 2 AM
0 2 * * * $monitor_script
To edit crontab: crontab -e
To view current crontab: crontab -l EOF
echo " [+] Monitoring script created: $monitor_script"
echo " [+] Cron setup instructions: $OUTPUT_DIR/cron_setup.txt"
\\}
Main execution
echo "[+] Starting comprehensive dependency vulnerability scan" echo "[+] Project directory: $PROJECT_DIR" echo "[+] Output directory: $OUTPUT_DIR" echo "[+] CVSS threshold: $CVSS_THRESHOLD"
Check if dependency-check is available
if ! command -v dependency-check &> /dev/null; then echo "[-] dependency-check not found. Please install OWASP Dependency-Check." exit 1 fi
Detect project types
PROJECT_TYPES=$(detect_project_type "$PROJECT_DIR") if [ -z "$PROJECT_TYPES" ]; then echo "[!] No recognized project types found, scanning all files" PROJECT_TYPES="generic" else echo "[+] Detected project types: $PROJECT_TYPES" fi
Extract project name from directory
PROJECT_NAME=$(basename "$PROJECT_DIR")
Run dependency check
if run_dependency_check "$PROJECT_DIR" "$PROJECT_NAME" "$OUTPUT_DIR"; then echo "[+] Dependency check completed successfully"
# Analyze results
analyze_results "$OUTPUT_DIR" "$PROJECT_NAME"
# Generate remediation report
generate_remediation_report "$OUTPUT_DIR" "$PROJECT_NAME"
# Create dashboard
create_dashboard "$OUTPUT_DIR" "$PROJECT_NAME" "$PROJECT_TYPES"
# Setup monitoring
setup_monitoring "$PROJECT_DIR" "$PROJECT_NAME"
echo "[+] Comprehensive scan completed successfully"
echo "[+] Results saved in: $OUTPUT_DIR"
echo "[+] Open $OUTPUT_DIR/vulnerability_dashboard.html for overview"
echo "[+] Open $OUTPUT_DIR/dependency-check-report.html for detailed report"
else echo "[-] Dependency check failed" exit 1 fi ```_
CI/CD Integrationsskript
```bash
!/bin/bash
CI/CD pipeline integration for dependency checking
PIPELINE_TYPE="$1" # jenkins, gitlab, github, azure PROJECT_DIR="$\\{2:-.\\}" FAIL_ON_CVSS="$\\{3:-7.0\\}"
if [ -z "$PIPELINE_TYPE" ]; then
echo "Usage: $0
Function to generate Jenkins pipeline
generate_jenkins_pipeline() \\{ cat > Jenkinsfile << 'EOF' pipeline \\{ agent any
environment \\\\{
DEPENDENCY_CHECK_HOME = '/opt/dependency-check'
\\\\}
stages \\\\{
stage('Checkout') \\\\{
steps \\\\{
checkout scm
\\\\}
\\\\}
stage('Dependency Check') \\\\{
steps \\\\{
script \\\\{
sh '''
$\\\\{DEPENDENCY_CHECK_HOME\\\\}/bin/dependency-check.sh \
--scan . \
--project "$\\\\{JOB_NAME\\\\}" \
--out dependency-check-reports \
--format ALL \
--failOnCVSS 7.0 \
--enableRetired \
--enableExperimental
'''
\\\\}
\\\\}
post \\\\{
always \\\\{
publishHTML([
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'dependency-check-reports',
reportFiles: 'dependency-check-report.html',
reportName: 'Dependency Check Report'
])
archiveArtifacts artifacts: 'dependency-check-reports/*', fingerprint: true
\\\\}
\\\\}
\\\\}
stage('Security Gate') \\\\{
steps \\\\{
script \\\\{
def reportFile = 'dependency-check-reports/dependency-check-report.json'
if (fileExists(reportFile)) \\\\{
def report = readJSON file: reportFile
def criticalVulns = 0
def highVulns = 0
report.dependencies.each \\\\{ dep ->
dep.vulnerabilities.each \\\\{ vuln ->
if (vuln.severity == 'CRITICAL') \\\\{
criticalVulns++
\\\\} else if (vuln.severity == 'HIGH') \\\\{
highVulns++
\\\\}
\\\\}
\\\\}
echo "Critical vulnerabilities: $\\\\{criticalVulns\\\\}"
echo "High vulnerabilities: $\\\\{highVulns\\\\}"
if (criticalVulns > 0) \\\\{
error("Build failed due to $\\\\{criticalVulns\\\\} critical vulnerabilities")
\\\\}
if (highVulns > 5) \\\\{
unstable("Build marked unstable due to $\\\\{highVulns\\\\} high vulnerabilities")
\\\\}
\\\\}
\\\\}
\\\\}
\\\\}
\\\\}
post \\\\{
failure \\\\{
emailext (
subject: "Dependency Check Failed: $\\\\{env.JOB_NAME\\\\} - $\\\\{env.BUILD_NUMBER\\\\}",
body: "The dependency check found critical vulnerabilities. Please check the report.",
to: "$\\\\{env.CHANGE_AUTHOR_EMAIL\\\\}"
)
\\\\}
\\\\}
\\} EOF
echo "[+] Jenkins pipeline generated: Jenkinsfile"
\\}
Function to generate GitLab CI configuration
generate_gitlab_ci() \\{ cat > .gitlab-ci.yml << 'EOF' stages: - security - deploy
variables: DEPENDENCY_CHECK_VERSION: "8.4.3"
dependency_check: stage: security image: owasp/dependency-check:latest script: - /usr/share/dependency-check/bin/dependency-check.sh --scan . --project "$CI_PROJECT_NAME" --out dependency-check-reports --format ALL --failOnCVSS 7.0 --enableRetired --enableExperimental artifacts: reports: dependency_scanning: dependency-check-reports/dependency-check-report.json paths: - dependency-check-reports/ expire_in: 1 week allow_failure: false rules: - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH - if: $CI_MERGE_REQUEST_ID
security_gate: stage: security image: alpine:latest dependencies: - dependency_check before_script: - apk add --no-cache jq script: -| if [ -f "dependency-check-reports/dependency-check-report.json" ]; then | CRITICAL_COUNT=$(jq '[.dependencies[].vulnerabilities[] | select(.severity == "CRITICAL")] | length' dependency-check-reports/dependency-check-report.json) | | HIGH_COUNT=$(jq '[.dependencies[].vulnerabilities[] | select(.severity == "HIGH")] | length' dependency-check-reports/dependency-check-report.json) |
echo "Critical vulnerabilities: $CRITICAL_COUNT"
echo "High vulnerabilities: $HIGH_COUNT"
if [ "$CRITICAL_COUNT" -gt 0 ]; then
echo "❌ Build failed due to $CRITICAL_COUNT critical vulnerabilities"
exit 1
fi
if [ "$HIGH_COUNT" -gt 5 ]; then
echo "⚠️ Warning: $HIGH_COUNT high vulnerabilities found"
fi
echo "✅ Security gate passed"
else
echo "❌ Dependency check report not found"
exit 1
fi
rules: - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH - if: $CI_MERGE_REQUEST_ID EOF
echo "[+] GitLab CI configuration generated: .gitlab-ci.yml"
\\}
Function to generate GitHub Actions workflow
generate_github_actions() \\{ mkdir -p .github/workflows
cat > .github/workflows/dependency-check.yml ``<< 'EOF'
name: Dependency Check
on: push: branches: [ main, develop ] pull_request: branches: [ main ] schedule: - cron: '0 2 * * *' # Daily at 2 AM
jobs: dependency-check: runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Dependency Check
uses: dependency-check/Dependency-Check_Action@main
with:
project: $\\\{\\\{ github.repository \\\}\\\}
path: '.'
format: 'ALL'
args: >``
--enableRetired
--enableExperimental
--failOnCVSS 7.0
- name: Upload results to GitHub Security
if: always()
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: reports/dependency-check-report.sarif
- name: Upload Dependency Check reports
if: always()
uses: actions/upload-artifact@v3
with:
name: dependency-check-reports
path: reports/
- name: Security Gate
if: always()
run:|
if [ -f "reports/dependency-check-report.json" ]; then
| CRITICAL_COUNT=$(jq '[.dependencies[].vulnerabilities[] | select(.severity == "CRITICAL")] | length' reports/dependency-check-report.json) | | HIGH_COUNT=$(jq '[.dependencies[].vulnerabilities[] | select(.severity == "HIGH")] | length' reports/dependency-check-report.json) |
echo "Critical vulnerabilities: $CRITICAL_COUNT"
echo "High vulnerabilities: $HIGH_COUNT"
if [ "$CRITICAL_COUNT" -gt 0 ]; then
echo "❌ Build failed due to $CRITICAL_COUNT critical vulnerabilities"
exit 1
fi
if [ "$HIGH_COUNT" -gt 5 ]; then
echo "⚠️ Warning: $HIGH_COUNT high vulnerabilities found"
fi
echo "✅ Security gate passed"
else
echo "❌ Dependency check report not found"
exit 1
fi
- name: Comment PR
if: github.event_name == 'pull_request' && always()
uses: actions/github-script@v6
with:
script:|
const fs = require('fs');
const path = 'reports/dependency-check-report.json';
if (fs.existsSync(path)) \\\\{
const report = JSON.parse(fs.readFileSync(path, 'utf8'));
let criticalCount = 0;
let highCount = 0;
report.dependencies.forEach(dep => \\\\{
dep.vulnerabilities.forEach(vuln => \\\\{
if (vuln.severity === 'CRITICAL') criticalCount++;
if (vuln.severity === 'HIGH') highCount++;
\\\\});
\\\\});
const comment = `## 🔍 Dependency Check Results
- **Critical vulnerabilities:** $\\{criticalCount\\}
- **High vulnerabilities:** $\\{highCount\\}
- **Total dependencies:** $\\{report.dependencies.length\\}
$\\{criticalCount > 0 ? '❌ **Action required:** Critical vulnerabilities found!' : '✅ No critical vulnerabilities found'\\}
[View detailed report](https://github.com/$\\{\\{ github.repository \\}\\}/actions/runs/$\\{\\{ github.run_id \\}\\})`;
github.rest.issues.createComment(\\\\{
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: comment
\\\\});
\\\\}
EOF
echo "[+] GitHub Actions workflow generated: .github/workflows/dependency-check.yml"
\\}
Function to generate Azure DevOps pipeline
generate_azure_pipeline() \\{ cat > azure-pipelines.yml ``<< 'EOF' trigger: branches: include: - main - develop
pr: branches: include: - main
schedules: - cron: "0 2 * * *" displayName: Daily dependency check branches: include: - main
pool: vmImage: 'ubuntu-latest'
variables: dependencyCheckVersion: '8.4.3'
stages: - stage: SecurityScan displayName: 'Security Scanning' jobs: - job: DependencyCheck displayName: 'Dependency Check' steps: - task: Bash@3 displayName: 'Download Dependency Check' inputs: targetType: 'inline' script:| wget https://github.com/jeremylong/DependencyCheck/releases/download/v$(dependencyCheckVersion)/dependency-check-$(dependencyCheckVersion)-release.zip unzip dependency-check-$(dependencyCheckVersion)-release.zip chmod +x dependency-check/bin/dependency-check.sh
- task: Bash@3
displayName: 'Run Dependency Check'
inputs:
targetType: 'inline'
script:|
./dependency-check/bin/dependency-check.sh \
--scan . \
--project "$(Build.Repository.Name)" \
--out dependency-check-reports \
--format ALL \
--failOnCVSS 7.0 \
--enableRetired \
--enableExperimental
- task: PublishTestResults@2
displayName: 'Publish Dependency Check Results'
condition: always()
inputs:
testResultsFormat: 'JUnit'
testResultsFiles: 'dependency-check-reports/dependency-check-junit.xml'
testRunTitle: 'Dependency Check'
- task: PublishHtmlReport@1
displayName: 'Publish HTML Report'
condition: always()
inputs:
reportDir: 'dependency-check-reports'
tabName: 'Dependency Check'
- task: Bash@3
displayName: 'Security Gate'
inputs:
targetType: 'inline'
script:|
if [ -f "dependency-check-reports/dependency-check-report.json" ]; then
| CRITICAL_COUNT=$(jq '[.dependencies[].vulnerabilities[] | select(.severity == "CRITICAL")] | length' dependency-check-reports/dependency-check-report.json) | | HIGH_COUNT=$(jq '[.dependencies[].vulnerabilities[] | select(.severity == "HIGH")] | length' dependency-check-reports/dependency-check-report.json) |
echo "Critical vulnerabilities: $CRITICAL_COUNT"
echo "High vulnerabilities: $HIGH_COUNT"
if [ "$CRITICAL_COUNT" -gt 0 ]; then
echo "##vso[task.logissue type=error]Build failed due to $CRITICAL_COUNT critical vulnerabilities"
exit 1
fi
if [ "$HIGH_COUNT" -gt 5 ]; then
echo "##vso[task.logissue type=warning]$HIGH_COUNT high vulnerabilities found"
fi
echo "Security gate passed"
else
echo "##vso[task.logissue type=error]Dependency check report not found"
exit 1
fi
- task: PublishBuildArtifacts@1
displayName: 'Publish Artifacts'
condition: always()
inputs:
pathToPublish: 'dependency-check-reports'
artifactName: 'dependency-check-reports'
EOF
echo "[+] Azure DevOps pipeline generated: azure-pipelines.yml"
\}
Main execution
echo "[+] Generating CI/CD integration for $PIPELINE_TYPE" echo "[+] Project directory: $PROJECT_DIR" echo "[+] CVSS threshold: $FAIL_ON_CVSS"
case "$PIPELINE_TYPE" in "jenkins") generate_jenkins_pipeline ;; "gitlab") generate_gitlab_ci ;; "github") generate_github_actions ;; "azure") generate_azure_pipeline ;; *) echo "[-] Unknown pipeline type: $PIPELINE_TYPE" echo "Supported types: jenkins, gitlab, github, azure" exit 1 ;; esac
echo "[+] CI/CD integration files generated successfully" echo "[+] Remember to:" echo " 1. Adjust CVSS thresholds based on your security requirements" echo " 2. Configure notification settings (email, Slack, etc.)" echo " 3. Set up proper artifact storage and retention policies" echo " 4. Test the pipeline in a development environment first" ```_
Vulnerability Tracking System
```bash
!/bin/bash
Vulnerability tracking and management system
TRACKING_DB="vulnerability_tracking.db" PROJECT_NAME="$1" SCAN_RESULTS="$2"
| if [ -z "$PROJECT_NAME" ] | | [ -z "$SCAN_RESULTS" ]; then |
echo "Usage: $0
Function to initialize tracking database
init_database() \\{ echo "[+] Initializing vulnerability tracking database"
sqlite3 "$TRACKING_DB" << 'EOF'
CREATE TABLE IF NOT EXISTS projects ( id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT UNIQUE NOT NULL, created_at DATETIME DEFAULT CURRENT_TIMESTAMP );
CREATE TABLE IF NOT EXISTS scans ( id INTEGER PRIMARY KEY AUTOINCREMENT, project_id INTEGER, scan_date DATETIME DEFAULT CURRENT_TIMESTAMP, total_dependencies INTEGER, vulnerable_dependencies INTEGER, total_vulnerabilities INTEGER, critical_count INTEGER, high_count INTEGER, medium_count INTEGER, low_count INTEGER, FOREIGN KEY (project_id) REFERENCES projects (id) );
CREATE TABLE IF NOT EXISTS vulnerabilities ( id INTEGER PRIMARY KEY AUTOINCREMENT, scan_id INTEGER, cve_id TEXT, severity TEXT, score REAL, dependency_name TEXT, dependency_version TEXT, description TEXT, status TEXT DEFAULT 'open', assigned_to TEXT, due_date DATE, notes TEXT, created_at DATETIME DEFAULT CURRENT_TIMESTAMP, updated_at DATETIME DEFAULT CURRENT_TIMESTAMP, FOREIGN KEY (scan_id) REFERENCES scans (id) );
CREATE TABLE IF NOT EXISTS remediation_actions ( id INTEGER PRIMARY KEY AUTOINCREMENT, vulnerability_id INTEGER, action_type TEXT, description TEXT, implemented BOOLEAN DEFAULT FALSE, implementation_date DATETIME, verified BOOLEAN DEFAULT FALSE, verification_date DATETIME, created_at DATETIME DEFAULT CURRENT_TIMESTAMP, FOREIGN KEY (vulnerability_id) REFERENCES vulnerabilities (id) ); EOF
echo " [+] Database initialized: $TRACKING_DB"
\\}
Function to import scan results
import_scan_results() \\{ local project_name="$1" local results_file="$2"
echo "[+] Importing scan results for $project_name"
if [ ! -f "$results_file" ]; then
echo "[-] Results file not found: $results_file"
return 1
fi
# Insert or get project
local project_id=$(sqlite3 "$TRACKING_DB" "INSERT OR IGNORE INTO projects (name) VALUES ('$project_name'); SELECT id FROM projects WHERE name = '$project_name';")
# Parse scan results
if command -v jq &> /dev/null; then
local total_deps=$(jq '.dependencies|length' "$results_file")
| local vulnerable_deps=$(jq '[.dependencies[] | select(.vulnerabilities | length > 0)] | length' "$results_file") | local total_vulns=$(jq '[.dependencies[].vulnerabilities[]]|length' "$results_file") | local critical_count=$(jq '[.dependencies[].vulnerabilities[] | select(.severity == "CRITICAL")] | length' "$results_file") | | local high_count=$(jq '[.dependencies[].vulnerabilities[] | select(.severity == "HIGH")] | length' "$results_file") | | local medium_count=$(jq '[.dependencies[].vulnerabilities[] | select(.severity == "MEDIUM")] | length' "$results_file") | | local low_count=$(jq '[.dependencies[].vulnerabilities[] | select(.severity == "LOW")] | length' "$results_file") |
# Insert scan record
local scan_id=$(sqlite3 "$TRACKING_DB" "INSERT INTO scans (project_id, total_dependencies, vulnerable_dependencies, total_vulnerabilities, critical_count, high_count, medium_count, low_count) VALUES ($project_id, $total_deps, $vulnerable_deps, $total_vulns, $critical_count, $high_count, $medium_count, $low_count); SELECT last_insert_rowid();")
echo " [+] Scan record created with ID: $scan_id"
# Import individual vulnerabilities
| jq -r '.dependencies[] | select(.vulnerabilities | length > 0) | .fileName as $dep | .vulnerabilities[] | [$dep, .name, .severity, .cvssv3.baseScore // .cvssv2.score // 0, .description] | @csv' "$results_file" | while IFS=',' read -r dep_name cve_id severity score description; do | # Clean up CSV fields dep_name=$(echo "$dep_name"|tr -d '"') cve_id=$(echo "$cve_id"|tr -d '"') severity=$(echo "$severity"|tr -d '"') | description=$(echo "$description" | tr -d '"' | head -c 500) # Limit description length |
sqlite3 "$TRACKING_DB" "INSERT INTO vulnerabilities (scan_id, cve_id, severity, score, dependency_name, description) VALUES ($scan_id, '$cve_id', '$severity', $score, '$dep_name', '$description');"
done
echo " [+] Imported $total_vulns vulnerabilities"
else
echo "[-] jq not available for parsing JSON results"
return 1
fi
\\}
Function to generate tracking report
generate_tracking_report() \\{ local project_name="$1" local report_file="vulnerability_tracking_report.html"
echo "[+] Generating vulnerability tracking report"
cat > "$report_file" << EOF
📊 Vulnerability Tracking Report
Project: $project_name
Generated: $(date)
📈 Scan History
| Scan Date | Total Deps | Vulnerable Deps | Critical | High | Medium | Low |
|---|---|---|---|---|---|---|
| $scan_date | $total_deps | $vuln_deps | $critical | $high | $medium | $low |
🔴 $severity Severity Vulnerabilities
| CVE ID | Dependency | Score | Status | Assigned To | Due Date |
|---|---|---|---|---|---|
| $cve_id | $dep_name | $score | $status | $assigned_to | $due_date |
EOF
echo " [+] Tracking report generated: $report_file"
\\}
Function to manage vulnerability status
manage_vulnerability() \\{ local action="$1" local cve_id="$2" local value="$3"
case "$action" in
"assign")
sqlite3 "$TRACKING_DB" "UPDATE vulnerabilities SET assigned_to = '$value', updated_at = CURRENT_TIMESTAMP WHERE cve_id = '$cve_id';"
echo "[+] Assigned $cve_id to $value"
;;
"status")
sqlite3 "$TRACKING_DB" "UPDATE vulnerabilities SET status = '$value', updated_at = CURRENT_TIMESTAMP WHERE cve_id = '$cve_id';"
echo "[+] Updated $cve_id status to $value"
;;
"due")
sqlite3 "$TRACKING_DB" "UPDATE vulnerabilities SET due_date = '$value', updated_at = CURRENT_TIMESTAMP WHERE cve_id = '$cve_id';"
echo "[+] Set due date for $cve_id to $value"
;;
"note")
sqlite3 "$TRACKING_DB" "UPDATE vulnerabilities SET notes = '$value', updated_at = CURRENT_TIMESTAMP WHERE cve_id = '$cve_id';"
echo "[+] Added note to $cve_id"
;;
*)
echo "Unknown action: $action"
echo "Available actions: assign, status, due, note"
;;
esac
\\}
Function to show vulnerability statistics
show_statistics() \\{ local project_name="$1"
echo "[+] Vulnerability Statistics for $project_name"
echo "=============================================="
# Latest scan statistics
sqlite3 "$TRACKING_DB" "SELECT 'Latest Scan:', scan_date FROM scans s JOIN projects p ON s.project_id = p.id WHERE p.name = '$project_name' ORDER BY scan_date DESC LIMIT 1;"
sqlite3 "$TRACKING_DB" "SELECT 'Total Dependencies:', total_dependencies FROM scans s JOIN projects p ON s.project_id = p.id WHERE p.name = '$project_name' ORDER BY scan_date DESC LIMIT 1;"
sqlite3 "$TRACKING_DB" "SELECT 'Vulnerable Dependencies:', vulnerable_dependencies FROM scans s JOIN projects p ON s.project_id = p.id WHERE p.name = '$project_name' ORDER BY scan_date DESC LIMIT 1;"
echo ""
echo "Vulnerabilities by Severity:"
sqlite3 "$TRACKING_DB" "SELECT severity, COUNT(*) FROM vulnerabilities v JOIN scans s ON v.scan_id = s.id JOIN projects p ON s.project_id = p.id WHERE p.name = '$project_name' AND v.status != 'resolved' GROUP BY severity ORDER BY CASE severity WHEN 'CRITICAL' THEN 1 WHEN 'HIGH' THEN 2 WHEN 'MEDIUM' THEN 3 WHEN 'LOW' THEN 4 END;"
echo ""
echo "Vulnerabilities by Status:"
sqlite3 "$TRACKING_DB" "SELECT status, COUNT(*) FROM vulnerabilities v JOIN scans s ON v.scan_id = s.id JOIN projects p ON s.project_id = p.id WHERE p.name = '$project_name' GROUP BY status;"
echo ""
echo "Top 10 Most Vulnerable Dependencies:"
sqlite3 "$TRACKING_DB" "SELECT dependency_name, COUNT(*) as vuln_count FROM vulnerabilities v JOIN scans s ON v.scan_id = s.id JOIN projects p ON s.project_id = p.id WHERE p.name = '$project_name' AND v.status != 'resolved' GROUP BY dependency_name ORDER BY vuln_count DESC LIMIT 10;"
\\}
Main execution
echo "[+] OWASP Dependency-Check Vulnerability Tracking System"
Initialize database
init_database
Import scan results
if [ -f "$SCAN_RESULTS" ]; then import_scan_results "$PROJECT_NAME" "$SCAN_RESULTS" else echo "[-] Scan results file not found: $SCAN_RESULTS" fi
Generate tracking report
generate_tracking_report "$PROJECT_NAME"
Show statistics
show_statistics "$PROJECT_NAME"
echo "" echo "Vulnerability Management Commands:" echo "==================================" echo "Assign vulnerability: $0 manage assign CVE-2023-1234 'john.doe@company.com'" echo "Update status: $0 manage status CVE-2023-1234 'in-progress'" echo "Set due date: $0 manage due CVE-2023-1234 '2024-01-15'" echo "Add note: $0 manage note CVE-2023-1234 'Patch available in v2.1.0'" echo "" echo "Available statuses: open, in-progress, resolved, false-positive, accepted-risk" ```_
Integration mit anderen Tools
SonarQube Integration
```bash
Configure SonarQube with Dependency-Check
sonar.dependencyCheck.reportPath=dependency-check-report.xml sonar.dependencyCheck.htmlReportPath=dependency-check-report.html
Run dependency check before SonarQube analysis
dependency-check --scan . --format XML --out . sonar-scanner ```_
JIRA Integration
```bash
Create JIRA tickets for vulnerabilities
curl -X POST \ -H "Content-Type: application/json" \ -u username:password \ -d '\\{ "fields": \\{ "project": \\{"key": "SEC"\\}, "summary": "Vulnerability: CVE-2023-1234", "description": "Critical vulnerability found in dependency", "issuetype": \\{"name": "Bug"\\}, "priority": \\{"name": "Critical"\\} \\} \\}' \ https://company.atlassian.net/rest/api/2/issue/ ```_
Slack Integration
```bash
Send vulnerability alerts to Slack
curl -X POST -H 'Content-type: application/json' \ --data '\\{"text":"🚨 Critical vulnerabilities found in MyProject"\\}' \ https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK ```_
Fehlerbehebung
Gemeinsame Themen
Probleme der Datenbankaktualisierung
```bash
Update NVD database manually
dependency-check --updateonly
Use specific database location
dependency-check --data /opt/dependency-check-data --updateonly
Check database status
dependency-check --scan . --out . -v|grep -i database ```_
Falsche Positive
```bash
Create suppression file
cat > suppressions.xml << 'EOF'
Use suppression file
dependency-check --scan . --suppression suppressions.xml --out . ```_
Leistungsfragen
```bash
Increase memory allocation
export JAVA_OPTS="-Xmx4g" dependency-check --scan . --out .
Use local database
dependency-check --data ./dependency-check-data --scan . --out .
Disable specific analyzers
dependency-check --scan . --disableAssembly --disableAutoconf --out . ```_
Netzwerkprobleme
```bash
Use proxy settings
dependency-check --scan . --proxyserver proxy.company.com --proxyport 8080 --out .
Use NVD API key to avoid rate limiting
dependency-check --scan . --nvdApiKey YOUR_API_KEY --out .
Work offline (requires pre-downloaded database)
dependency-check --scan . --noupdate --out . ```_
Leistungsoptimierung
```bash
Optimize for large projects
dependency-check --scan . \ --enableRetired false \ --enableExperimental false \ --disableOssIndex \ --out .
Use parallel processing
dependency-check --scan . --threads 4 --out .
Cache database for multiple scans
export DC_DATA_DIR=/opt/dependency-check-data dependency-check --data $DC_DATA_DIR --scan . --out . ```_
Ressourcen
- [OWASP Dependency-Check Official Site](LINK_7 -%20Dependency-Check%20GitHub%20Repository
- [Nationale Sicherheitsdatenbank](LINK_7 -%20(__LINK_7___)
- [Software Composition Analysis Guide](__LINK_7___ -%20OWASP%20Top%2010%20-%20Verwendung%20von%20Komponenten%20mit%20bekannten%20Schwachstellen
- Dependency-Check Jenkins Plugin
--
*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von OWASP Dependency-Check für Software-Zusammensetzung Analyse und Sicherheitsmanagement. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Autorisierung vor dem Scannen von Abhängigkeiten von Drittanbietern haben und die Sicherheitsrichtlinien Ihrer Organisation für Sicherheitsremediation verfolgen. *