We use dependencies in all our software projects.
However, sometimes the dependencies can introduce various vulnerabilities to our software. 💉
Therefore, we need to check for security issues before adding or updating any dependencies in our project.
OWASP Dependency Check is a tool that analyzes dependencies and checks for known issues.
You can access it through the following link:
https://owasp.org/www-project-dependency-check
Once you reach this page, click on the “Command Line” link to download the script used for analyzing our dependencies.
After downloading the file, extract the zip file and locate the ‘bin’ directory.
Inside the bin directory, you will find a file named dependency-check.sh.
notice: you need to have Java runtime installed in your computer for this tool to work properly.
once you have java runtime installed, you can go ahead and run this command:
bash pathtoYourFile/dependency-check.sh --project test --scan pathToYourProject
the result you will get:
To understand how to read this report, you can visit the following link:
report
The most important information you should look for includes Evidence Count and CPE Confidence. These two factors together will indicate if any dependencies have issues.
In addition, tools such as snyk or burp can be used to control the dependencies of a project.
How else can you manage the dependencies in your project ? 🧐
Top comments (0)