In today’s fast-paced development world, security often takes a back seat to feature building. However, ensuring your React/Node.js application is secure should be a top priority! Security vulnerabilities in third-party dependencies can expose your app to serious threats. That’s where the OWASP Dependency-Check comes into play.
🚨 What is OWASP Dependency-Check?
OWASP Dependency-Check is a powerful tool designed to identify publicly disclosed vulnerabilities in your project’s dependencies. It scans your package.json and package-lock.json (or yarn.lock) files in Node.js projects, cross-referencing them against known vulnerability databases like the National Vulnerability Database (NVD).
Why Should You Care About Vulnerabilities?
Third-party dependencies can introduce potential attack vectors if they have outdated or vulnerable versions.
Automated tools like OWASP Dependency-Check allow you to identify issues before they become critical exploits.
When developing software, we have to use 3rd party npm packages in many cases. For example, If we want to make an HTTP call to an API, from our application we would use the Axios library. However, before using a 3rd party library, it is important to check if there are any known security vulnerabilities reported against these libraries. In such a case, you can use a tool to do the search for you. OWASP Dependency-Check is one among them.
Here I will demonstrate how to use the command line tool of OWASP Dependency-Check to analyze external dependencies and generate a report based on the known vulnerabilities detected.
1) First, download the command-line tool from the official website OWASP Dependency-Check
2) After downloading and extract. Goto dependency-check
folder, In the bin
directory you can find the executable script. dependency-check.bat
file is for running the tool on Windows and the dependency-check.sh
file is for running on Linux.
3) Open in terminal and run the following script.
./dependency-check.sh --project "<project_name>" --scan <folder containing 3rd party libraries> --out <folder to generate reports> --suppression <xml file containing suppressions>
--project
: Specify a name for the project and this would appear in the report. (optional)
--scan
: Path of the folder which contains the 3rd party dependency libraries. (required)
--out
: Path of the folder where the vulnerability analysis reports should be generated. (optional)
--suppression
: An XML file that contains the known vulnerabilities that should be hidden from the report (false positives). (optional)
checkout lists the command line arguments
OWASP dependency-check includes an analyzer that will scan Node Package Manager package specification files that works in conjunction with the Node Audit Analyzer to create a bill-of-materials for a Node.js project.
Files Types Scanned: package.json
, package-lock.json
, npm-shrinkwrap.json
./dependency-check.sh --project demo_app --scan ~/react_learning/demo_app/package-lock.json --out ~/react_learning/demo_app/
When you run the OWASP Dependency-Check for the very first time, it would download the known vulnerabilities from the National Vulnerability Database (NVD) and it would maintain this information in a local database. So, it will take some time to run this for the very first time, because all the vulnerability information have to be downloaded.
By default the duration for syncing the local database and NVD is 4 hours. If you have run the Dependency Check within 4 hours, it will just use the data in local database without trying to update the local database with NVD.
Here I have react-app in this directory /home/user/react_learning/demo_app
and generated report in the same directory.
Conclusion: Don’t Let Vulnerabilities Linger!
Your React/Node.js app’s security is only as strong as its weakest link—often a third-party dependency. Regularly scanning your app with OWASP Dependency-Check can protect you from well-known vulnerabilities lurking in your project. Stay one step ahead of attackers and secure your app before it’s too late!
Make sure to give your app the protection it needs with automated vulnerability scanning—because in the world of web development, prevention is always better than cure!
Top comments (3)
Great going through article.
Thanks for that.
I hope a lot of people are going to try this as you just show how easy it is to use it.
Thank you for the feedback❤️
How can one replicate this on github actions?