Aller au contenu

OWASP Contrôle de la dépendance Cheat Feuille

Copier toutes les commandes Générer PDF

Aperçu général

OWASP Dependency-Check est un outil d'analyse de la composition des logiciels (SCA) qui tente de détecter les vulnérabilités divulguées publiquement contenues dans les dépendances d'un projet. Il le fait en déterminant s'il y a un identifiant de dénombrement de la plate-forme commune (CPE) pour une dépendance donnée, et s'il est trouvé, il générera un rapport lié aux entrées associées de vulnérabilité commune et d'exposition (CVE). Supports de vérification de la dépendance Java, .NET, JavaScript, Python, Ruby, PHP et bien d'autres écosystèmes en font un outil essentiel pour identifier les vulnérabilités connues dans les composants et bibliothèques tiers utilisés dans les projets logiciels.

C'est pas vrai. Important: Dependency-Check identifie des vulnérabilités connues mais ne peut pas détecter des vulnérabilités à jour zéro ou des vulnérabilités de code personnalisées. Il devrait être utilisé dans le cadre d'une stratégie globale de tests de sécurité, parallèlement à l'analyse statique, aux tests dynamiques et à l'examen manuel du code.

Installation

Installation de la ligne de commande

Java/JAR Installation

# Download latest release
wget https://github.com/jeremylong/DependencyCheck/releases/download/v8.4.3/dependency-check-8.4.3-release.zip

# Extract
unzip dependency-check-8.4.3-release.zip

# Add to PATH
export PATH=$PATH:$(pwd)/dependency-check/bin

# Verify installation
dependency-check.sh --version

# Create permanent alias
echo 'export PATH=$PATH:/path/to/dependency-check/bin' >> ~/.bashrc
source ~/.bashrc

Installation Docker

# Pull official Docker image
docker pull owasp/dependency-check

# Run basic scan
docker run --rm -v $(pwd):/src owasp/dependency-check --scan /src --format ALL

# Create alias for easier usage
echo 'alias dependency-check="docker run --rm -v \$(pwd):/src owasp/dependency-check"' >> ~/.bashrc
source ~/.bashrc

# Run with custom output directory
docker run --rm -v $(pwd):/src -v $(pwd)/reports:/reports owasp/dependency-check --scan /src --out /reports
```_

#### Installation du gestionnaire de paquets

##### Ubuntu/Debian
```bash
# Install via snap
sudo snap install dependency-check

# Verify installation
dependency-check --version

# Alternative: Install via apt (if available)
sudo apt update
sudo apt install dependency-check
```_

##### MACOS
```bash
# Install via Homebrew
brew install dependency-check

# Verify installation
dependency-check --version

# Update to latest version
brew upgrade dependency-check
Fenêtres
# Download Windows release
# https://github.com/jeremylong/DependencyCheck/releases

# Extract to desired location
# Add bin directory to PATH environment variable

# Verify installation
dependency-check.bat --version

Intégration des outils de construction

Plugin Maven


<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <version>8.4.3</version>
    <configuration>
        <failBuildOnCVSS>7</failBuildOnCVSS>
        <format>ALL</format>
    </configuration>
    <executions>
        <execution>
            <goals>
                <goal>check</goal>
            </goals>
        </execution>
    </executions>
</plugin>

Greffon gradué

// Add to build.gradle
plugins \\\\{
    id 'org.owasp.dependencycheck' version '8.4.3'
\\\\}

dependencyCheck \\\\{
    failBuildOnCVSS = 7
    format = 'ALL'
    suppressionFile = 'dependency-check-suppressions.xml'
\\\\}

// Run scan
// ./gradlew dependencyCheckAnalyze

TBS Greffon

// Add to project/plugins.sbt
addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % "4.1.0")

// Add to build.sbt
dependencyCheckFailBuildOnCVSS := Some(7.0f)
dependencyCheckFormat := "ALL"

Tâche fourmi


<taskdef resource="dependency-check-ant-task.properties">
    <classpath>
        <pathelement location="dependency-check-ant-8.4.3.jar"/>
    </classpath>
</taskdef>

<target name="dependency-check">
    <dependency-check projectname="MyProject"
                     reportoutputdirectory="reports"
                     reportformat="ALL">
        <fileset dir="lib">
            <include name="**/*.jar"/>
        </fileset>
    </dependency-check>
</target>

Utilisation de base

Analyses simples

# Basic project scan
dependency-check --scan ./src --out ./reports

# Scan with project name
dependency-check --scan ./src --project "MyProject" --out ./reports

# Scan multiple directories
dependency-check --scan ./src --scan ./lib --scan ./vendor --out ./reports

# Scan with specific formats
dependency-check --scan ./src --format HTML --format JSON --format XML --out ./reports

# Scan with all formats
dependency-check --scan ./src --format ALL --out ./reports

Options avancées de numérisation

# Scan with CVSS threshold
dependency-check --scan ./src --failOnCVSS 7 --out ./reports

# Scan with custom database location
dependency-check --scan ./src --data ./dependency-check-data --out ./reports

# Scan with suppression file
dependency-check --scan ./src --suppression suppressions.xml --out ./reports

# Scan with custom NVD API key
dependency-check --scan ./src --nvdApiKey YOUR_API_KEY --out ./reports

# Verbose output
dependency-check --scan ./src --out ./reports -v

# Debug output
dependency-check --scan ./src --out ./reports -d

Scans linguistiques spécifiques

# Java/Maven project
dependency-check --scan ./pom.xml --out ./reports

# Node.js project
dependency-check --scan ./package.json --scan ./package-lock.json --out ./reports

# Python project
dependency-check --scan ./requirements.txt --scan ./Pipfile.lock --out ./reports

# .NET project
dependency-check --scan ./*.csproj --scan ./packages.config --out ./reports

# Ruby project
dependency-check --scan ./Gemfile.lock --out ./reports

# PHP project
dependency-check --scan ./composer.lock --out ./reports

# Go project
dependency-check --scan ./go.mod --scan ./go.sum --out ./reports

Configuration et personnalisation

Fichier de configuration

# Create configuration file
cat > dependency-check.properties << 'EOF'
# Database settings
data.directory=/opt/dependency-check-data
database.driver.name=org.h2.Driver
database.driver.path=/opt/dependency-check/h2-2.1.214.jar

# NVD settings
nvd.api.key=YOUR_NVD_API_KEY
nvd.api.delay=4000

# Analyzer settings
analyzer.jar.enabled=true
analyzer.node.js.enabled=true
analyzer.python.enabled=true
analyzer.ruby.enabled=true
analyzer.php.enabled=true
analyzer.dotnet.enabled=true

# Report settings
format=ALL
failOnCVSS=7

# Suppression settings
suppression.file=suppressions.xml
EOF

# Use configuration file
dependency-check --propertyfile dependency-check.properties --scan ./src --out ./reports

Fichier Suppression


<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">

    <suppress>
        <notes>False positive - this vulnerability doesn't apply to our usage</notes>
        <filePath regex="true">.*jquery-3\.2\.1\.min\.js</filePath>
        <cve>CVE-2019-11358</cve>
    </suppress>

    <suppress>
        <notes>Legacy library - vulnerabilities accepted as risk</notes>
        <filePath regex="true">.*legacy-lib-1\.0\.jar</filePath>
    </suppress>

    <suppress>
        <notes>Not applicable to our environment</notes>
        <cpe>cpe:/a:apache:struts:2.3.20</cpe>
        <cve>CVE-2014-0094</cve>
    </suppress>

    <suppress until="2024-12-31">
        <notes>Temporary suppression - fix scheduled</notes>
        <filePath regex="true">.*vulnerable-component.*</filePath>
        <cvssBelow>4.0</cvssBelow>
    </suppress>

    <suppress>
        <notes>XSS not applicable in server-side context</notes>
        <filePath regex="true">.*server-side-lib.*</filePath>
        <vulnerabilityName regex="true">.*Cross-site Scripting.*</vulnerabilityName>
    </suppress>

</suppressions>

Analyseurs personnalisés

# Enable/disable specific analyzers
dependency-check --scan ./src \
    --enableRetired \
    --enableExperimental \
    --disableAssembly \
    --disableAutoconf \
    --out ./reports

# Configure analyzer-specific settings
dependency-check --scan ./src \
    --nodePackage ./package.json \
    --nodeAuditSkipDevDependencies \
    --bundleAuditPath /usr/local/bin/bundle-audit \
    --out ./reports

Scripts d'automatisation

Scanner de projet complet

#!/bin/bash
# Comprehensive dependency vulnerability scanner

PROJECT_DIR="$1"
OUTPUT_DIR="dependency_scan_$(date +%Y%m%d_%H%M%S)"
CVSS_THRESHOLD=7.0
SUPPRESSION_FILE="suppressions.xml"

if [ -z "$PROJECT_DIR" ]; then
    echo "Usage: $0 <project_directory>"
    echo "Example: $0 /path/to/project"
    exit 1
fi

if [ ! -d "$PROJECT_DIR" ]; then
    echo "Error: Project directory not found: $PROJECT_DIR"
    exit 1
fi

mkdir -p "$OUTPUT_DIR"

# Function to detect project type
detect_project_type() \\\\{
    local project_dir="$1"
    local project_types=()

    # Java/Maven
    if [ -f "$project_dir/pom.xml" ]; then
        project_types+=("maven")
    fi

    # Java/Gradle
    if [ -f "$project_dir/build.gradle" ]||[ -f "$project_dir/build.gradle.kts" ]; then
        project_types+=("gradle")
    fi

    # Node.js
    if [ -f "$project_dir/package.json" ]; then
        project_types+=("nodejs")
    fi

    # Python
    if [ -f "$project_dir/requirements.txt" ]||[ -f "$project_dir/Pipfile" ]||[ -f "$project_dir/setup.py" ]; then
        project_types+=("python")
    fi

    # .NET
    if find "$project_dir" -name "*.csproj" -o -name "*.vbproj" -o -name "*.fsproj"|grep -q .; then
        project_types+=("dotnet")
    fi

    # Ruby
    if [ -f "$project_dir/Gemfile" ]; then
        project_types+=("ruby")
    fi

    # PHP
    if [ -f "$project_dir/composer.json" ]; then
        project_types+=("php")
    fi

    # Go
    if [ -f "$project_dir/go.mod" ]; then
        project_types+=("go")
    fi

    echo "$\\\\{project_types[@]\\\\}"
\\\\}

# Function to run dependency check
run_dependency_check() \\\\{
    local scan_dir="$1"
    local project_name="$2"
    local output_dir="$3"

    echo "[+] Running dependency check for $project_name"

    local cmd="dependency-check"
    local args=(
        "--scan" "$scan_dir"
        "--project" "$project_name"
        "--out" "$output_dir"
        "--format" "ALL"
        "--failOnCVSS" "$CVSS_THRESHOLD"
        "--enableRetired"
        "--enableExperimental"
    )

    # Add suppression file if it exists
    if [ -f "$SUPPRESSION_FILE" ]; then
        args+=("--suppression" "$SUPPRESSION_FILE")
    fi

    # Add NVD API key if available
    if [ -n "$NVD_API_KEY" ]; then
        args+=("--nvdApiKey" "$NVD_API_KEY")
    fi

    # Run the scan
    "$cmd" "$\\\\{args[@]\\\\}" 2>&1|tee "$output_dir/scan.log"

    return $\\\\{PIPESTATUS[0]\\\\}
\\\\}

# Function to analyze results
analyze_results() \\\\{
    local output_dir="$1"
    local project_name="$2"

    echo "[+] Analyzing scan results"

    local json_report="$output_dir/dependency-check-report.json"
    local analysis_file="$output_dir/vulnerability_analysis.txt"

    if [ ! -f "$json_report" ]; then
        echo "[-] JSON report not found: $json_report"
        return 1
    fi

    # Extract vulnerability statistics
    cat > "$analysis_file" << EOF
Dependency Vulnerability Analysis
================================
Project: $project_name
Scan Date: $(date)
Output Directory: $output_dir

Vulnerability Summary:
EOF

    # Parse JSON report for statistics
    if command -v jq &> /dev/null; then
        echo "  [+] Parsing JSON report with jq"

        local total_deps=$(jq '.dependencies|length' "$json_report" 2>/dev/null||echo 0)
        local vulnerable_deps=$(jq '[.dependencies[]|select(.vulnerabilities|length > 0)]|length' "$json_report" 2>/dev/null||echo 0)
        local total_vulns=$(jq '[.dependencies[].vulnerabilities[]]|length' "$json_report" 2>/dev/null||echo 0)

        cat >> "$analysis_file" << EOF
- Total Dependencies: $total_deps
- Vulnerable Dependencies: $vulnerable_deps
- Total Vulnerabilities: $total_vulns

Vulnerability Breakdown by Severity:
EOF

        # Count vulnerabilities by severity
        jq -r '.dependencies[].vulnerabilities[]|.severity' "$json_report" 2>/dev/null|sort|uniq -c|while read count severity; do
            echo "- $severity: $count" >> "$analysis_file"
        done

        # High severity vulnerabilities
        echo "" >> "$analysis_file"
        echo "High Severity Vulnerabilities:" >> "$analysis_file"
        jq -r '.dependencies[]|select(.vulnerabilities[]|.severity == "HIGH")|.fileName + " - " + (.vulnerabilities[]|select(.severity == "HIGH")|.name)' "$json_report" 2>/dev/null >> "$analysis_file"

        # Critical severity vulnerabilities
        echo "" >> "$analysis_file"
        echo "Critical Severity Vulnerabilities:" >> "$analysis_file"
        jq -r '.dependencies[]|select(.vulnerabilities[]|.severity == "CRITICAL")|.fileName + " - " + (.vulnerabilities[]|select(.severity == "CRITICAL")|.name)' "$json_report" 2>/dev/null >> "$analysis_file"

    else
        echo "  [!] jq not available, using basic analysis"

        # Basic grep-based analysis
        grep -o '"severity":"[^"]*"' "$json_report"|cut -d'"' -f4|sort|uniq -c >> "$analysis_file"
    fi

    echo "  [+] Analysis completed: $analysis_file"
\\\\}

# Function to generate remediation report
generate_remediation_report() \\\\{
    local output_dir="$1"
    local project_name="$2"

    echo "[+] Generating remediation report"

    local json_report="$output_dir/dependency-check-report.json"
    local remediation_file="$output_dir/remediation_report.txt"

    if [ ! -f "$json_report" ]; then
        echo "[-] JSON report not found for remediation analysis"
        return 1
    fi

    cat > "$remediation_file" << EOF
Dependency Vulnerability Remediation Report
==========================================
Project: $project_name
Generated: $(date)

Recommended Actions:
EOF

    if command -v jq &> /dev/null; then
        # Extract vulnerable dependencies with remediation info
        jq -r '.dependencies[]|select(.vulnerabilities|length > 0)|
               "Dependency: " + .fileName +
               "\nVulnerabilities: " + (.vulnerabilities|length|tostring) +
               "\nHighest Severity: " + ([.vulnerabilities[].severity]|max) +
               "\nRecommendation: Update to latest version or find alternative\n---"' "$json_report" >> "$remediation_file"
    fi

    cat >> "$remediation_file" << EOF

General Remediation Steps:
1. Update vulnerable dependencies to latest versions
2. Check for security patches from vendors
3. Consider alternative libraries if updates unavailable
4. Implement additional security controls if updates not possible
5. Add suppressions for false positives with proper justification

Next Steps:
1. Review each vulnerable dependency
2. Check for available updates
3. Test updates in development environment
4. Plan deployment of security updates
5. Monitor for new vulnerabilities
EOF

    echo "  [+] Remediation report generated: $remediation_file"
\\\\}

# Function to create HTML dashboard
create_dashboard() \\\\{
    local output_dir="$1"
    local project_name="$2"
    local project_types="$3"

    echo "[+] Creating vulnerability dashboard"

    local dashboard_file="$output_dir/vulnerability_dashboard.html"
    local json_report="$output_dir/dependency-check-report.json"

    cat > "$dashboard_file" << EOF
<!DOCTYPE html>
<html>
<head>
    <title>Dependency Vulnerability Dashboard - $project_name</title>
    <style>
        body \\\\{ font-family: Arial, sans-serif; margin: 20px; \\\\}
        .header \\\\{ background-color: #f0f0f0; padding: 20px; border-radius: 5px; \\\\}
        .section \\\\{ margin: 20px 0; padding: 15px; border: 1px solid #ddd; border-radius: 5px; \\\\}
        .critical \\\\{ background-color: #ffebee; border-color: #f44336; \\\\}
        .high \\\\{ background-color: #fff3e0; border-color: #ff9800; \\\\}
        .medium \\\\{ background-color: #fff8e1; border-color: #ffc107; \\\\}
        .low \\\\{ background-color: #f3e5f5; border-color: #9c27b0; \\\\}
        .info \\\\{ background-color: #e3f2fd; border-color: #2196f3; \\\\}
        table \\\\{ border-collapse: collapse; width: 100%; \\\\}
        th, td \\\\{ border: 1px solid #ddd; padding: 8px; text-align: left; \\\\}
        th \\\\{ background-color: #f2f2f2; \\\\}
        .severity-critical \\\\{ color: #d32f2f; font-weight: bold; \\\\}
        .severity-high \\\\{ color: #f57c00; font-weight: bold; \\\\}
        .severity-medium \\\\{ color: #fbc02d; font-weight: bold; \\\\}
        .severity-low \\\\{ color: #7b1fa2; \\\\}
        .chart \\\\{ margin: 20px 0; text-align: center; \\\\}
    </style>
    <script src="https://cdn.jsdelivr.net/npm/chart.js"></script>
</head>
<body>
    <div class="header">
        <h1>🔍 Dependency Vulnerability Dashboard</h1>
        <p><strong>Project:</strong> $project_name</p>
        <p><strong>Project Types:</strong> $project_types</p>
        <p><strong>Scan Date:</strong> $(date)</p>
        <p><strong>CVSS Threshold:</strong> $CVSS_THRESHOLD</p>
    </div>
EOF

    # Add vulnerability summary if JSON report exists
    if [ -f "$json_report" ] && command -v jq &> /dev/null; then
        local total_deps=$(jq '.dependencies|length' "$json_report" 2>/dev/null||echo 0)
        local vulnerable_deps=$(jq '[.dependencies[]|select(.vulnerabilities|length > 0)]|length' "$json_report" 2>/dev/null||echo 0)
        local total_vulns=$(jq '[.dependencies[].vulnerabilities[]]|length' "$json_report" 2>/dev/null||echo 0)

        cat >> "$dashboard_file" << EOF
    <div class="section info">
        <h2>📊 Vulnerability Summary</h2>
        <table>
            <tr><th>Metric</th><th>Count</th><th>Percentage</th></tr>
            <tr><td>Total Dependencies</td><td>$total_deps</td><td>100%</td></tr>
            <tr><td>Vulnerable Dependencies</td><td>$vulnerable_deps</td><td>$(echo "scale=1; $vulnerable_deps * 100 / $total_deps"|bc -l 2>/dev/null||echo "N/A")%</td></tr>
            <tr><td>Total Vulnerabilities</td><td>$total_vulns</td><td>-</td></tr>
        </table>
    </div>

    <div class="section">
        <h2>📈 Vulnerability Distribution</h2>
        <div class="chart">
            <canvas id="severityChart" width="400" height="200"></canvas>
        </div>
    </div>
EOF

        # Add severity breakdown
        cat >> "$dashboard_file" << EOF
    <div class="section">
        <h2>🎯 Vulnerabilities by Severity</h2>
        <table>
            <tr><th>Severity</th><th>Count</th><th>Action Required</th></tr>
EOF

        # Count vulnerabilities by severity
        for severity in CRITICAL HIGH MEDIUM LOW; do
            local count=$(jq "[.dependencies[].vulnerabilities[]|select(.severity == \"$severity\")]|length" "$json_report" 2>/dev/null||echo 0)
            local css_class="severity-$(echo $severity|tr '[:upper:]' '[:lower:]')"
            local action=""

            case $severity in
                CRITICAL) action="Immediate action required" ;;
                HIGH) action="Fix within 24-48 hours" ;;
                MEDIUM) action="Fix within 1 week" ;;
                LOW) action="Fix in next release cycle" ;;
            esac

            cat >> "$dashboard_file" << EOF
            <tr><td class="$css_class">$severity</td><td>$count</td><td>$action</td></tr>
EOF
        done

        cat >> "$dashboard_file" << EOF
        </table>
    </div>
EOF
    fi

    # Add file links
    cat >> "$dashboard_file" << EOF
    <div class="section">
        <h2>📁 Generated Reports</h2>
        <ul>
            <li><a href="dependency-check-report.html">HTML Report</a></li>
            <li><a href="dependency-check-report.json">JSON Report</a></li>
            <li><a href="dependency-check-report.xml">XML Report</a></li>
            <li><a href="vulnerability_analysis.txt">Vulnerability Analysis</a></li>
            <li><a href="remediation_report.txt">Remediation Report</a></li>
        </ul>
    </div>

    <div class="section">
        <h2>🔧 Recommended Actions</h2>
        <ol>
            <li><strong>Review Critical and High Severity Vulnerabilities:</strong> Address these immediately</li>
            <li><strong>Update Dependencies:</strong> Check for available updates for vulnerable components</li>
            <li><strong>Assess Risk:</strong> Evaluate the actual risk based on your application's usage</li>
            <li><strong>Implement Mitigations:</strong> Apply security controls if updates are not available</li>
            <li><strong>Monitor Continuously:</strong> Set up regular scans to catch new vulnerabilities</li>
        </ol>
    </div>

    <script>
        // Create severity distribution chart
        const ctx = document.getElementById('severityChart').getContext('2d');

        // This would be populated with actual data from the JSON report
        const severityData = \\\\{
            labels: ['Critical', 'High', 'Medium', 'Low'],
            datasets: [\\\\{
                label: 'Vulnerabilities by Severity',
                data: [0, 0, 0, 0], // Placeholder data
                backgroundColor: [
                    'rgba(211, 47, 47, 0.8)',
                    'rgba(245, 124, 0, 0.8)',
                    'rgba(251, 192, 45, 0.8)',
                    'rgba(123, 31, 162, 0.8)'
                ],
                borderColor: [
                    'rgba(211, 47, 47, 1)',
                    'rgba(245, 124, 0, 1)',
                    'rgba(251, 192, 45, 1)',
                    'rgba(123, 31, 162, 1)'
                ],
                borderWidth: 1
            \\\\}]
        \\\\};

        const chart = new Chart(ctx, \\\\{
            type: 'doughnut',
            data: severityData,
            options: \\\\{
                responsive: true,
                plugins: \\\\{
                    title: \\\\{
                        display: true,
                        text: 'Vulnerability Distribution by Severity'
                    \\\\},
                    legend: \\\\{
                        position: 'bottom'
                    \\\\}
                \\\\}
            \\\\}
        \\\\});
    </script>
</body>
</html>
EOF

    echo "  [+] Vulnerability dashboard created: $dashboard_file"
\\\\}

# Function to setup continuous monitoring
setup_monitoring() \\\\{
    local project_dir="$1"
    local project_name="$2"

    echo "[+] Setting up continuous monitoring"

    local monitor_script="$OUTPUT_DIR/monitor_dependencies.sh"

    cat > "$monitor_script" ``<< EOF
#!/bin/bash
# Continuous dependency monitoring script

PROJECT_DIR="$project_dir"
PROJECT_NAME="$project_name"
MONITOR_DIR="\$(dirname "\$0")/monitoring"
ALERT_EMAIL="security@company.com"

mkdir -p "\$MONITOR_DIR"

# Run dependency check
dependency-check --scan "\$PROJECT_DIR" \\
    --project "\$PROJECT_NAME" \\
    --out "\$MONITOR_DIR" \\
    --format JSON \\
    --failOnCVSS $CVSS_THRESHOLD

# Check for new vulnerabilities
if [ -f "\$MONITOR_DIR/dependency-check-report.json" ]; then
    VULN_COUNT=\$(jq '[.dependencies[].vulnerabilities[]]|length' "\$MONITOR_DIR/dependency-check-report.json" 2>``/dev/null||echo 0)

    if [ "\$VULN_COUNT" -gt 0 ]; then
        echo "[\$(date)] \$VULN_COUNT vulnerabilities found in \$PROJECT_NAME" >> "\$MONITOR_DIR/monitoring.log"

        # Send alert email (if mail is configured)
        if command -v mail &> /dev/null && [ -n "\$ALERT_EMAIL" ]; then
            echo "Dependency vulnerabilities detected in \$PROJECT_NAME. Check \$MONITOR_DIR for details."|\\
                mail -s "Dependency Alert: \$PROJECT_NAME" "\$ALERT_EMAIL"
        fi
    else
        echo "[\$(date)] No vulnerabilities found in \$PROJECT_NAME" >> "\$MONITOR_DIR/monitoring.log"
    fi
fi
EOF

    chmod +x "$monitor_script"

    # Create cron job suggestion
    cat > "$OUTPUT_DIR/cron_setup.txt" << EOF
To set up continuous monitoring, add this line to your crontab:

# Run dependency check daily at 2 AM
0 2 * * * $monitor_script

To edit crontab:
crontab -e

To view current crontab:
crontab -l
EOF

    echo "  [+] Monitoring script created: $monitor_script"
    echo "  [+] Cron setup instructions: $OUTPUT_DIR/cron_setup.txt"
\\\\}

# Main execution
echo "[+] Starting comprehensive dependency vulnerability scan"
echo "[+] Project directory: $PROJECT_DIR"
echo "[+] Output directory: $OUTPUT_DIR"
echo "[+] CVSS threshold: $CVSS_THRESHOLD"

# Check if dependency-check is available
if ! command -v dependency-check &> /dev/null; then
    echo "[-] dependency-check not found. Please install OWASP Dependency-Check."
    exit 1
fi

# Detect project types
PROJECT_TYPES=$(detect_project_type "$PROJECT_DIR")
if [ -z "$PROJECT_TYPES" ]; then
    echo "[!] No recognized project types found, scanning all files"
    PROJECT_TYPES="generic"
else
    echo "[+] Detected project types: $PROJECT_TYPES"
fi

# Extract project name from directory
PROJECT_NAME=$(basename "$PROJECT_DIR")

# Run dependency check
if run_dependency_check "$PROJECT_DIR" "$PROJECT_NAME" "$OUTPUT_DIR"; then
    echo "[+] Dependency check completed successfully"

    # Analyze results
    analyze_results "$OUTPUT_DIR" "$PROJECT_NAME"

    # Generate remediation report
    generate_remediation_report "$OUTPUT_DIR" "$PROJECT_NAME"

    # Create dashboard
    create_dashboard "$OUTPUT_DIR" "$PROJECT_NAME" "$PROJECT_TYPES"

    # Setup monitoring
    setup_monitoring "$PROJECT_DIR" "$PROJECT_NAME"

    echo "[+] Comprehensive scan completed successfully"
    echo "[+] Results saved in: $OUTPUT_DIR"
    echo "[+] Open $OUTPUT_DIR/vulnerability_dashboard.html for overview"
    echo "[+] Open $OUTPUT_DIR/dependency-check-report.html for detailed report"

else
    echo "[-] Dependency check failed"
    exit 1
fi

Script d'intégration CI/CD

#!/bin/bash
# CI/CD pipeline integration for dependency checking

PIPELINE_TYPE="$1"  # jenkins, gitlab, github, azure
PROJECT_DIR="$\\\\{2:-.\\\\}"
FAIL_ON_CVSS="$\\\\{3:-7.0\\\\}"

if [ -z "$PIPELINE_TYPE" ]; then
    echo "Usage: $0 <pipeline_type> [project_dir] [fail_on_cvss]"
    echo "Pipeline types: jenkins, gitlab, github, azure"
    exit 1
fi

# Function to generate Jenkins pipeline
generate_jenkins_pipeline() \\\\{
    cat > Jenkinsfile << 'EOF'
pipeline \\\\{
    agent any

    environment \\\\{
        DEPENDENCY_CHECK_HOME = '/opt/dependency-check'
    \\\\}

    stages \\\\{
        stage('Checkout') \\\\{
            steps \\\\{
                checkout scm
            \\\\}
        \\\\}

        stage('Dependency Check') \\\\{
            steps \\\\{
                script \\\\{
                    sh '''
                        $\\\\{DEPENDENCY_CHECK_HOME\\\\}/bin/dependency-check.sh \
                            --scan . \
                            --project "$\\\\{JOB_NAME\\\\}" \
                            --out dependency-check-reports \
                            --format ALL \
                            --failOnCVSS 7.0 \
                            --enableRetired \
                            --enableExperimental
                    '''
                \\\\}
            \\\\}
            post \\\\{
                always \\\\{
                    publishHTML([
                        allowMissing: false,
                        alwaysLinkToLastBuild: true,
                        keepAll: true,
                        reportDir: 'dependency-check-reports',
                        reportFiles: 'dependency-check-report.html',
                        reportName: 'Dependency Check Report'
                    ])

                    archiveArtifacts artifacts: 'dependency-check-reports/*', fingerprint: true
                \\\\}
            \\\\}
        \\\\}

        stage('Security Gate') \\\\{
            steps \\\\{
                script \\\\{
                    def reportFile = 'dependency-check-reports/dependency-check-report.json'
                    if (fileExists(reportFile)) \\\\{
                        def report = readJSON file: reportFile
                        def criticalVulns = 0
                        def highVulns = 0

                        report.dependencies.each \\\\{ dep ->
                            dep.vulnerabilities.each \\\\{ vuln ->
                                if (vuln.severity == 'CRITICAL') \\\\{
                                    criticalVulns++
                                \\\\} else if (vuln.severity == 'HIGH') \\\\{
                                    highVulns++
                                \\\\}
                            \\\\}
                        \\\\}

                        echo "Critical vulnerabilities: $\\\\{criticalVulns\\\\}"
                        echo "High vulnerabilities: $\\\\{highVulns\\\\}"

                        if (criticalVulns > 0) \\\\{
                            error("Build failed due to $\\\\{criticalVulns\\\\} critical vulnerabilities")
                        \\\\}

                        if (highVulns > 5) \\\\{
                            unstable("Build marked unstable due to $\\\\{highVulns\\\\} high vulnerabilities")
                        \\\\}
                    \\\\}
                \\\\}
            \\\\}
        \\\\}
    \\\\}

    post \\\\{
        failure \\\\{
            emailext (
                subject: "Dependency Check Failed: $\\\\{env.JOB_NAME\\\\} - $\\\\{env.BUILD_NUMBER\\\\}",
                body: "The dependency check found critical vulnerabilities. Please check the report.",
                to: "$\\\\{env.CHANGE_AUTHOR_EMAIL\\\\}"
            )
        \\\\}
    \\\\}
\\\\}
EOF

    echo "[+] Jenkins pipeline generated: Jenkinsfile"
\\\\}

# Function to generate GitLab CI configuration
generate_gitlab_ci() \\\\{
    cat > .gitlab-ci.yml << 'EOF'
stages:
  - security
  - deploy

variables:
  DEPENDENCY_CHECK_VERSION: "8.4.3"

dependency_check:
  stage: security
  image: owasp/dependency-check:latest
  script:
    - /usr/share/dependency-check/bin/dependency-check.sh
        --scan .
        --project "$CI_PROJECT_NAME"
        --out dependency-check-reports
        --format ALL
        --failOnCVSS 7.0
        --enableRetired
        --enableExperimental
  artifacts:
    reports:
      dependency_scanning: dependency-check-reports/dependency-check-report.json
    paths:
      - dependency-check-reports/
    expire_in: 1 week
  allow_failure: false
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
    - if: $CI_MERGE_REQUEST_ID

security_gate:
  stage: security
  image: alpine:latest
  dependencies:
    - dependency_check
  before_script:
    - apk add --no-cache jq
  script:
    -|
      if [ -f "dependency-check-reports/dependency-check-report.json" ]; then
        CRITICAL_COUNT=$(jq '[.dependencies[].vulnerabilities[]|select(.severity == "CRITICAL")]|length' dependency-check-reports/dependency-check-report.json)
        HIGH_COUNT=$(jq '[.dependencies[].vulnerabilities[]|select(.severity == "HIGH")]|length' dependency-check-reports/dependency-check-report.json)

        echo "Critical vulnerabilities: $CRITICAL_COUNT"
        echo "High vulnerabilities: $HIGH_COUNT"

        if [ "$CRITICAL_COUNT" -gt 0 ]; then
          echo "❌ Build failed due to $CRITICAL_COUNT critical vulnerabilities"
          exit 1
        fi

        if [ "$HIGH_COUNT" -gt 5 ]; then
          echo "⚠️ Warning: $HIGH_COUNT high vulnerabilities found"
        fi

        echo "✅ Security gate passed"
      else
        echo "❌ Dependency check report not found"
        exit 1
      fi
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
    - if: $CI_MERGE_REQUEST_ID
EOF

    echo "[+] GitLab CI configuration generated: .gitlab-ci.yml"
\\\\}

# Function to generate GitHub Actions workflow
generate_github_actions() \\\\{
    mkdir -p .github/workflows

    cat > .github/workflows/dependency-check.yml ``<< 'EOF'
name: Dependency Check

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]
  schedule:
    - cron: '0 2 * * *'  # Daily at 2 AM

jobs:
  dependency-check:
    runs-on: ubuntu-latest

    permissions:
      contents: read
      security-events: write

    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Run Dependency Check
      uses: dependency-check/Dependency-Check_Action@main
      with:
        project: $\\\{\\\{ github.repository \\\}\\\}
        path: '.'
        format: 'ALL'
        args: >``
          --enableRetired
          --enableExperimental
          --failOnCVSS 7.0

    - name: Upload results to GitHub Security
      if: always()
      uses: github/codeql-action/upload-sarif@v2
      with:
        sarif_file: reports/dependency-check-report.sarif

    - name: Upload Dependency Check reports
      if: always()
      uses: actions/upload-artifact@v3
      with:
        name: dependency-check-reports
        path: reports/

    - name: Security Gate
      if: always()
      run:|
        if [ -f "reports/dependency-check-report.json" ]; then
          CRITICAL_COUNT=$(jq '[.dependencies[].vulnerabilities[]|select(.severity == "CRITICAL")]|length' reports/dependency-check-report.json)
          HIGH_COUNT=$(jq '[.dependencies[].vulnerabilities[]|select(.severity == "HIGH")]|length' reports/dependency-check-report.json)

          echo "Critical vulnerabilities: $CRITICAL_COUNT"
          echo "High vulnerabilities: $HIGH_COUNT"

          if [ "$CRITICAL_COUNT" -gt 0 ]; then
            echo "❌ Build failed due to $CRITICAL_COUNT critical vulnerabilities"
            exit 1
          fi

          if [ "$HIGH_COUNT" -gt 5 ]; then
            echo "⚠️ Warning: $HIGH_COUNT high vulnerabilities found"
          fi

          echo "✅ Security gate passed"
        else
          echo "❌ Dependency check report not found"
          exit 1
        fi

    - name: Comment PR
      if: github.event_name == 'pull_request' && always()
      uses: actions/github-script@v6
      with:
        script:|
          const fs = require('fs');
          const path = 'reports/dependency-check-report.json';

          if (fs.existsSync(path)) \\\\{
            const report = JSON.parse(fs.readFileSync(path, 'utf8'));
            let criticalCount = 0;
            let highCount = 0;

            report.dependencies.forEach(dep => \\\\{
              dep.vulnerabilities.forEach(vuln => \\\\{
                if (vuln.severity === 'CRITICAL') criticalCount++;
                if (vuln.severity === 'HIGH') highCount++;
              \\\\});
            \\\\});

            const comment = `## 🔍 Dependency Check Results

            - **Critical vulnerabilities:** $\\{criticalCount\\}
            - **High vulnerabilities:** $\\{highCount\\}
            - **Total dependencies:** $\\{report.dependencies.length\\}

            $\\{criticalCount > 0 ? '❌ **Action required:** Critical vulnerabilities found!' : '✅ No critical vulnerabilities found'\\}

            [View detailed report](https://github.com/$\\{\\{ github.repository \\}\\}/actions/runs/$\\{\\{ github.run_id \\}\\})`;

            github.rest.issues.createComment(\\\\{
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: comment
            \\\\});
          \\\\}
EOF

    echo "[+] GitHub Actions workflow generated: .github/workflows/dependency-check.yml"
\\\\}

# Function to generate Azure DevOps pipeline
generate_azure_pipeline() \\\\{
    cat > azure-pipelines.yml ``<< 'EOF'
trigger:
  branches:
    include:
    - main
    - develop

pr:
  branches:
    include:
    - main

schedules:
- cron: "0 2 * * *"
  displayName: Daily dependency check
  branches:
    include:
    - main

pool:
  vmImage: 'ubuntu-latest'

variables:
  dependencyCheckVersion: '8.4.3'

stages:
- stage: SecurityScan
  displayName: 'Security Scanning'
  jobs:
  - job: DependencyCheck
    displayName: 'Dependency Check'
    steps:
    - task: Bash@3
      displayName: 'Download Dependency Check'
      inputs:
        targetType: 'inline'
        script:|
          wget https://github.com/jeremylong/DependencyCheck/releases/download/v$(dependencyCheckVersion)/dependency-check-$(dependencyCheckVersion)-release.zip
          unzip dependency-check-$(dependencyCheckVersion)-release.zip
          chmod +x dependency-check/bin/dependency-check.sh

    - task: Bash@3
      displayName: 'Run Dependency Check'
      inputs:
        targetType: 'inline'
        script:|
          ./dependency-check/bin/dependency-check.sh \
            --scan . \
            --project "$(Build.Repository.Name)" \
            --out dependency-check-reports \
            --format ALL \
            --failOnCVSS 7.0 \
            --enableRetired \
            --enableExperimental

    - task: PublishTestResults@2
      displayName: 'Publish Dependency Check Results'
      condition: always()
      inputs:
        testResultsFormat: 'JUnit'
        testResultsFiles: 'dependency-check-reports/dependency-check-junit.xml'
        testRunTitle: 'Dependency Check'

    - task: PublishHtmlReport@1
      displayName: 'Publish HTML Report'
      condition: always()
      inputs:
        reportDir: 'dependency-check-reports'
        tabName: 'Dependency Check'

    - task: Bash@3
      displayName: 'Security Gate'
      inputs:
        targetType: 'inline'
        script:|
          if [ -f "dependency-check-reports/dependency-check-report.json" ]; then
            CRITICAL_COUNT=$(jq '[.dependencies[].vulnerabilities[]|select(.severity == "CRITICAL")]|length' dependency-check-reports/dependency-check-report.json)
            HIGH_COUNT=$(jq '[.dependencies[].vulnerabilities[]|select(.severity == "HIGH")]|length' dependency-check-reports/dependency-check-report.json)

            echo "Critical vulnerabilities: $CRITICAL_COUNT"
            echo "High vulnerabilities: $HIGH_COUNT"

            if [ "$CRITICAL_COUNT" -gt 0 ]; then
              echo "##vso[task.logissue type=error]Build failed due to $CRITICAL_COUNT critical vulnerabilities"
              exit 1
            fi

            if [ "$HIGH_COUNT" -gt 5 ]; then
              echo "##vso[task.logissue type=warning]$HIGH_COUNT high vulnerabilities found"
            fi

            echo "Security gate passed"
          else
            echo "##vso[task.logissue type=error]Dependency check report not found"
            exit 1
          fi

    - task: PublishBuildArtifacts@1
      displayName: 'Publish Artifacts'
      condition: always()
      inputs:
        pathToPublish: 'dependency-check-reports'
        artifactName: 'dependency-check-reports'
EOF

    echo "[+] Azure DevOps pipeline generated: azure-pipelines.yml"
\\\}

# Main execution
echo "[+] Generating CI/CD integration for $PIPELINE_TYPE"
echo "[+] Project directory: $PROJECT_DIR"
echo "[+] CVSS threshold: $FAIL_ON_CVSS"

case "$PIPELINE_TYPE" in
    "jenkins")
        generate_jenkins_pipeline
        ;;
    "gitlab")
        generate_gitlab_ci
        ;;
    "github")
        generate_github_actions
        ;;
    "azure")
        generate_azure_pipeline
        ;;
    *)
        echo "[-] Unknown pipeline type: $PIPELINE_TYPE"
        echo "Supported types: jenkins, gitlab, github, azure"
        exit 1
        ;;
esac

echo "[+] CI/CD integration files generated successfully"
echo "[+] Remember to:"
echo "    1. Adjust CVSS thresholds based on your security requirements"
echo "    2. Configure notification settings (email, Slack, etc.)"
echo "    3. Set up proper artifact storage and retention policies"
echo "    4. Test the pipeline in a development environment first"

Système de suivi de la vulnérabilité

#!/bin/bash
# Vulnerability tracking and management system

TRACKING_DB="vulnerability_tracking.db"
PROJECT_NAME="$1"
SCAN_RESULTS="$2"

if [ -z "$PROJECT_NAME" ]||[ -z "$SCAN_RESULTS" ]; then
    echo "Usage: $0 <project_name>`` <scan_results_json>"
    exit 1
fi

# Function to initialize tracking database
init_database() \\\\{
    echo "[+] Initializing vulnerability tracking database"

    sqlite3 "$TRACKING_DB" << 'EOF'
CREATE TABLE IF NOT EXISTS projects (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    name TEXT UNIQUE NOT NULL,
    created_at DATETIME DEFAULT CURRENT_TIMESTAMP
);

CREATE TABLE IF NOT EXISTS scans (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    project_id INTEGER,
    scan_date DATETIME DEFAULT CURRENT_TIMESTAMP,
    total_dependencies INTEGER,
    vulnerable_dependencies INTEGER,
    total_vulnerabilities INTEGER,
    critical_count INTEGER,
    high_count INTEGER,
    medium_count INTEGER,
    low_count INTEGER,
    FOREIGN KEY (project_id) REFERENCES projects (id)
);

CREATE TABLE IF NOT EXISTS vulnerabilities (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    scan_id INTEGER,
    cve_id TEXT,
    severity TEXT,
    score REAL,
    dependency_name TEXT,
    dependency_version TEXT,
    description TEXT,
    status TEXT DEFAULT 'open',
    assigned_to TEXT,
    due_date DATE,
    notes TEXT,
    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
    updated_at DATETIME DEFAULT CURRENT_TIMESTAMP,
    FOREIGN KEY (scan_id) REFERENCES scans (id)
);

CREATE TABLE IF NOT EXISTS remediation_actions (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    vulnerability_id INTEGER,
    action_type TEXT,
    description TEXT,
    implemented BOOLEAN DEFAULT FALSE,
    implementation_date DATETIME,
    verified BOOLEAN DEFAULT FALSE,
    verification_date DATETIME,
    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
    FOREIGN KEY (vulnerability_id) REFERENCES vulnerabilities (id)
);
EOF

    echo "  [+] Database initialized: $TRACKING_DB"
\\\\}

# Function to import scan results
import_scan_results() \\\\{
    local project_name="$1"
    local results_file="$2"

    echo "[+] Importing scan results for $project_name"

    if [ ! -f "$results_file" ]; then
        echo "[-] Results file not found: $results_file"
        return 1
    fi

    # Insert or get project
    local project_id=$(sqlite3 "$TRACKING_DB" "INSERT OR IGNORE INTO projects (name) VALUES ('$project_name'); SELECT id FROM projects WHERE name = '$project_name';")

    # Parse scan results
    if command -v jq &> /dev/null; then
        local total_deps=$(jq '.dependencies|length' "$results_file")
        local vulnerable_deps=$(jq '[.dependencies[]|select(.vulnerabilities|length > 0)]|length' "$results_file")
        local total_vulns=$(jq '[.dependencies[].vulnerabilities[]]|length' "$results_file")
        local critical_count=$(jq '[.dependencies[].vulnerabilities[]|select(.severity == "CRITICAL")]|length' "$results_file")
        local high_count=$(jq '[.dependencies[].vulnerabilities[]|select(.severity == "HIGH")]|length' "$results_file")
        local medium_count=$(jq '[.dependencies[].vulnerabilities[]|select(.severity == "MEDIUM")]|length' "$results_file")
        local low_count=$(jq '[.dependencies[].vulnerabilities[]|select(.severity == "LOW")]|length' "$results_file")

        # Insert scan record
        local scan_id=$(sqlite3 "$TRACKING_DB" "INSERT INTO scans (project_id, total_dependencies, vulnerable_dependencies, total_vulnerabilities, critical_count, high_count, medium_count, low_count) VALUES ($project_id, $total_deps, $vulnerable_deps, $total_vulns, $critical_count, $high_count, $medium_count, $low_count); SELECT last_insert_rowid();")

        echo "  [+] Scan record created with ID: $scan_id"

        # Import individual vulnerabilities
        jq -r '.dependencies[]|select(.vulnerabilities|length > 0)|.fileName as $dep|.vulnerabilities[]|[$dep, .name, .severity, .cvssv3.baseScore // .cvssv2.score // 0, .description]|@csv' "$results_file"|while IFS=',' read -r dep_name cve_id severity score description; do
            # Clean up CSV fields
            dep_name=$(echo "$dep_name"|tr -d '"')
            cve_id=$(echo "$cve_id"|tr -d '"')
            severity=$(echo "$severity"|tr -d '"')
            description=$(echo "$description"|tr -d '"'|head -c 500)  # Limit description length

            sqlite3 "$TRACKING_DB" "INSERT INTO vulnerabilities (scan_id, cve_id, severity, score, dependency_name, description) VALUES ($scan_id, '$cve_id', '$severity', $score, '$dep_name', '$description');"
        done

        echo "  [+] Imported $total_vulns vulnerabilities"
    else
        echo "[-] jq not available for parsing JSON results"
        return 1
    fi
\\\\}

# Function to generate tracking report
generate_tracking_report() \\\\{
    local project_name="$1"
    local report_file="vulnerability_tracking_report.html"

    echo "[+] Generating vulnerability tracking report"

    cat > "$report_file" << EOF
<!DOCTYPE html>
<html>
<head>
    <title>Vulnerability Tracking Report - $project_name</title>
    <style>
        body \\\\{ font-family: Arial, sans-serif; margin: 20px; \\\\}
        .header \\\\{ background-color: #f0f0f0; padding: 20px; border-radius: 5px; \\\\}
        .section \\\\{ margin: 20px 0; padding: 15px; border: 1px solid #ddd; border-radius: 5px; \\\\}
        .critical \\\\{ background-color: #ffebee; border-color: #f44336; \\\\}
        .high \\\\{ background-color: #fff3e0; border-color: #ff9800; \\\\}
        .medium \\\\{ background-color: #fff8e1; border-color: #ffc107; \\\\}
        .low \\\\{ background-color: #f3e5f5; border-color: #9c27b0; \\\\}
        table \\\\{ border-collapse: collapse; width: 100%; \\\\}
        th, td \\\\{ border: 1px solid #ddd; padding: 8px; text-align: left; \\\\}
        th \\\\{ background-color: #f2f2f2; \\\\}
        .status-open \\\\{ color: #d32f2f; font-weight: bold; \\\\}
        .status-in-progress \\\\{ color: #f57c00; font-weight: bold; \\\\}
        .status-resolved \\\\{ color: #388e3c; font-weight: bold; \\\\}
        .chart \\\\{ margin: 20px 0; text-align: center; \\\\}
    </style>
    <script src="https://cdn.jsdelivr.net/npm/chart.js"></script>
</head>
<body>
    <div class="header">
        <h1>📊 Vulnerability Tracking Report</h1>
        <p><strong>Project:</strong> $project_name</p>
        <p><strong>Generated:</strong> $(date)</p>
    </div>
EOF

    # Add scan history
    cat >> "$report_file" << EOF
    <div class="section">
        <h2>📈 Scan History</h2>
        <table>
            <tr><th>Scan Date</th><th>Total Deps</th><th>Vulnerable Deps</th><th>Critical</th><th>High</th><th>Medium</th><th>Low</th></tr>
EOF

    sqlite3 "$TRACKING_DB" "SELECT scan_date, total_dependencies, vulnerable_dependencies, critical_count, high_count, medium_count, low_count FROM scans s JOIN projects p ON s.project_id = p.id WHERE p.name = '$project_name' ORDER BY scan_date DESC LIMIT 10;"|while IFS='|' read -r scan_date total_deps vuln_deps critical high medium low; do
        cat >> "$report_file" << EOF
            <tr><td>$scan_date</td><td>$total_deps</td><td>$vuln_deps</td><td>$critical</td><td>$high</td><td>$medium</td><td>$low</td></tr>
EOF
    done

    cat >> "$report_file" << EOF
        </table>
    </div>
EOF

    # Add current vulnerabilities by severity
    for severity in CRITICAL HIGH MEDIUM LOW; do
        local css_class=$(echo $severity|tr '[:upper:]' '[:lower:]')

        cat >> "$report_file" << EOF
    <div class="section $css_class">
        <h2>🔴 $severity Severity Vulnerabilities</h2>
        <table>
            <tr><th>CVE ID</th><th>Dependency</th><th>Score</th><th>Status</th><th>Assigned To</th><th>Due Date</th></tr>
EOF

        sqlite3 "$TRACKING_DB" "SELECT v.cve_id, v.dependency_name, v.score, v.status, v.assigned_to, v.due_date FROM vulnerabilities v JOIN scans s ON v.scan_id = s.id JOIN projects p ON s.project_id = p.id WHERE p.name = '$project_name' AND v.severity = '$severity' AND v.status != 'resolved' ORDER BY v.score DESC;"|while IFS='|' read -r cve_id dep_name score status assigned_to due_date; do
            local status_class="status-$(echo $status|tr ' ' '-')"
            cat >> "$report_file" << EOF
            <tr><td>$cve_id</td><td>$dep_name</td><td>$score</td><td class="$status_class">$status</td><td>$assigned_to</td><td>$due_date</td></tr>
EOF
        done

        cat >> "$report_file" << EOF
        </table>
    </div>
EOF
    done

    cat >> "$report_file" << EOF
</body>
</html>
EOF

    echo "  [+] Tracking report generated: $report_file"
\\\\}

# Function to manage vulnerability status
manage_vulnerability() \\\\{
    local action="$1"
    local cve_id="$2"
    local value="$3"

    case "$action" in
        "assign")
            sqlite3 "$TRACKING_DB" "UPDATE vulnerabilities SET assigned_to = '$value', updated_at = CURRENT_TIMESTAMP WHERE cve_id = '$cve_id';"
            echo "[+] Assigned $cve_id to $value"
            ;;
        "status")
            sqlite3 "$TRACKING_DB" "UPDATE vulnerabilities SET status = '$value', updated_at = CURRENT_TIMESTAMP WHERE cve_id = '$cve_id';"
            echo "[+] Updated $cve_id status to $value"
            ;;
        "due")
            sqlite3 "$TRACKING_DB" "UPDATE vulnerabilities SET due_date = '$value', updated_at = CURRENT_TIMESTAMP WHERE cve_id = '$cve_id';"
            echo "[+] Set due date for $cve_id to $value"
            ;;
        "note")
            sqlite3 "$TRACKING_DB" "UPDATE vulnerabilities SET notes = '$value', updated_at = CURRENT_TIMESTAMP WHERE cve_id = '$cve_id';"
            echo "[+] Added note to $cve_id"
            ;;
        *)
            echo "Unknown action: $action"
            echo "Available actions: assign, status, due, note"
            ;;
    esac
\\\\}

# Function to show vulnerability statistics
show_statistics() \\\\{
    local project_name="$1"

    echo "[+] Vulnerability Statistics for $project_name"
    echo "=============================================="

    # Latest scan statistics
    sqlite3 "$TRACKING_DB" "SELECT 'Latest Scan:', scan_date FROM scans s JOIN projects p ON s.project_id = p.id WHERE p.name = '$project_name' ORDER BY scan_date DESC LIMIT 1;"

    sqlite3 "$TRACKING_DB" "SELECT 'Total Dependencies:', total_dependencies FROM scans s JOIN projects p ON s.project_id = p.id WHERE p.name = '$project_name' ORDER BY scan_date DESC LIMIT 1;"

    sqlite3 "$TRACKING_DB" "SELECT 'Vulnerable Dependencies:', vulnerable_dependencies FROM scans s JOIN projects p ON s.project_id = p.id WHERE p.name = '$project_name' ORDER BY scan_date DESC LIMIT 1;"

    echo ""
    echo "Vulnerabilities by Severity:"
    sqlite3 "$TRACKING_DB" "SELECT severity, COUNT(*) FROM vulnerabilities v JOIN scans s ON v.scan_id = s.id JOIN projects p ON s.project_id = p.id WHERE p.name = '$project_name' AND v.status != 'resolved' GROUP BY severity ORDER BY CASE severity WHEN 'CRITICAL' THEN 1 WHEN 'HIGH' THEN 2 WHEN 'MEDIUM' THEN 3 WHEN 'LOW' THEN 4 END;"

    echo ""
    echo "Vulnerabilities by Status:"
    sqlite3 "$TRACKING_DB" "SELECT status, COUNT(*) FROM vulnerabilities v JOIN scans s ON v.scan_id = s.id JOIN projects p ON s.project_id = p.id WHERE p.name = '$project_name' GROUP BY status;"

    echo ""
    echo "Top 10 Most Vulnerable Dependencies:"
    sqlite3 "$TRACKING_DB" "SELECT dependency_name, COUNT(*) as vuln_count FROM vulnerabilities v JOIN scans s ON v.scan_id = s.id JOIN projects p ON s.project_id = p.id WHERE p.name = '$project_name' AND v.status != 'resolved' GROUP BY dependency_name ORDER BY vuln_count DESC LIMIT 10;"
\\\\}

# Main execution
echo "[+] OWASP Dependency-Check Vulnerability Tracking System"

# Initialize database
init_database

# Import scan results
if [ -f "$SCAN_RESULTS" ]; then
    import_scan_results "$PROJECT_NAME" "$SCAN_RESULTS"
else
    echo "[-] Scan results file not found: $SCAN_RESULTS"
fi

# Generate tracking report
generate_tracking_report "$PROJECT_NAME"

# Show statistics
show_statistics "$PROJECT_NAME"

echo ""
echo "Vulnerability Management Commands:"
echo "=================================="
echo "Assign vulnerability:    $0 manage assign CVE-2023-1234 'john.doe@company.com'"
echo "Update status:          $0 manage status CVE-2023-1234 'in-progress'"
echo "Set due date:           $0 manage due CVE-2023-1234 '2024-01-15'"
echo "Add note:               $0 manage note CVE-2023-1234 'Patch available in v2.1.0'"
echo ""
echo "Available statuses: open, in-progress, resolved, false-positive, accepted-risk"

Intégration avec d'autres outils

Intégration SonarQube

# Configure SonarQube with Dependency-Check
sonar.dependencyCheck.reportPath=dependency-check-report.xml
sonar.dependencyCheck.htmlReportPath=dependency-check-report.html

# Run dependency check before SonarQube analysis
dependency-check --scan . --format XML --out .
sonar-scanner

Intégration JIRA

# Create JIRA tickets for vulnerabilities
curl -X POST \
  -H "Content-Type: application/json" \
  -u username:password \
  -d '\\\\{
    "fields": \\\\{
      "project": \\\\{"key": "SEC"\\\\},
      "summary": "Vulnerability: CVE-2023-1234",
      "description": "Critical vulnerability found in dependency",
      "issuetype": \\\\{"name": "Bug"\\\\},
      "priority": \\\\{"name": "Critical"\\\\}
    \\\\}
  \\\\}' \
  https://company.atlassian.net/rest/api/2/issue/

Intégration Slack

# Send vulnerability alerts to Slack
curl -X POST -H 'Content-type: application/json' \
  --data '\\\\{"text":"🚨 Critical vulnerabilities found in MyProject"\\\\}' \
  https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK

Dépannage

Questions communes

Problèmes de mise à jour de la base de données

# Update NVD database manually
dependency-check --updateonly

# Use specific database location
dependency-check --data /opt/dependency-check-data --updateonly

# Check database status
dependency-check --scan . --out . -v|grep -i database

Faux positifs

# Create suppression file
cat > suppressions.xml << 'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <suppress>
        <notes>False positive - not applicable</notes>
        <filePath regex="true">.*jquery.*</filePath>
        <cve>CVE-2019-11358</cve>
    </suppress>
</suppressions>
EOF

# Use suppression file
dependency-check --scan . --suppression suppressions.xml --out .

Problèmes de performance

# Increase memory allocation
export JAVA_OPTS="-Xmx4g"
dependency-check --scan . --out .

# Use local database
dependency-check --data ./dependency-check-data --scan . --out .

# Disable specific analyzers
dependency-check --scan . --disableAssembly --disableAutoconf --out .

Questions relatives aux réseaux

# Use proxy settings
dependency-check --scan . --proxyserver proxy.company.com --proxyport 8080 --out .

# Use NVD API key to avoid rate limiting
dependency-check --scan . --nvdApiKey YOUR_API_KEY --out .

# Work offline (requires pre-downloaded database)
dependency-check --scan . --noupdate --out .

Optimisation des performances

# Optimize for large projects
dependency-check --scan . \
  --enableRetired false \
  --enableExperimental false \
  --disableOssIndex \
  --out .

# Use parallel processing
dependency-check --scan . --threads 4 --out .

# Cache database for multiple scans
export DC_DATA_DIR=/opt/dependency-check-data
dependency-check --data $DC_DATA_DIR --scan . --out .

Ressources

  • [Site officiel de vérification de la dépendance du PAEO] (LINK_7)
  • [Dépendance-Vérifier le dépôt GitHub] (LINK_7)
  • [Base de données nationales sur la vulnérabilité] (LINK_7)
  • [Système commun de notation des vulnérabilités] (LINK_7)
  • [Guide d'analyse de la composition des logiciels] (LINK_7)
  • [OWASP Top 10 - Utilisation de composants présentant des vulnérabilités connues] (LINK_7)
  • [Greffin de contrôle de la dépendance Jenkins] (LINK_7)

*Cette feuille de triche fournit une référence complète pour l'utilisation de OWASP Dependency-Check pour l'analyse de la composition logicielle et la gestion de la vulnérabilité. Assurez-vous toujours d'avoir une autorisation appropriée avant de scanner les dépendances de tiers et suivez les politiques de sécurité de votre organisation pour l'assainissement de la vulnérabilité. *