1. Overview
During application development, we typically need to add some third-party libraries or frameworks to our projects. These third-party libraries ease our development effort. However, they may bring possible security risks due to their vulnerabilities.
In this tutorial, we’ll introduce a plugin that can help us identify known vulnerabilities in our application.
2. Dependency-Check
The plugin that we’ll adopt is OWASP Dependency-Check. This plugin is a software component analysis tool that identifies application dependencies that have known vulnerabilities by correlating them with Common Platform Enumeration (CPE) identifiers and Common Vulnerability and Exposure (CVE) entries.
CPE is a structural naming scheme for software or packages, while CVE provides a reference for known vulnerabilities and exposures publicly.
The plugin automatically updates these entries via National Vulnerability Database (NVD) data feeds provided by NIST. In addition to the Maven plugin, it also provides other integration plugins, such as Gradle.
3. Maven Setup
In this tutorial, let’s look into the Maven integration with our application. First, we need to include the Dependency-Check plugin within the plugins section in our pom.xml file:
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>11.1.1</version>
<configuration>
<failBuildOnCVSS>7</failBuildOnCVSS>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>Once we’ve included this plugin, we call it by invoking the verify phase, as it’s already integrated into it by default:
$ mvn verifyOr, we can invoke it directly via:
$ mvn dependency-check:checkIf there’s any vulnerability in our application, we’ll see a message from Maven indicating which packages contain vulnerabilities from the console. Let’s see an example:
[WARNING]
One or more dependencies were identified with known vulnerabilities in dependency-check:
logback-core-1.5.6.jar (pkg:maven/ch.qos.logback/logback-core@1.5.6, cpe:2.3:a:qos:logback:1.5.6:*:*:*:*:*:*:*) : CVE-2024-12798, CVE-2024-12801
In addition, the plugin creates an HTML report that contains the details of the vulnerabilities it found. The file name is dependency-check-report.html and can be found under the build folder:
4. CVSS Score
Let’s jump into the report and dive into the details of a component vulnerability. We can see that each vulnerability is associated with a Common Vulnerability Scoring System (CVSS) score:
CVSS is a standard for measuring the severity of vulnerabilities. The score ranges from 0 to 10, where a higher score indicates a more severe vulnerability.
The Maven plugin has an option called failBuildOnCVSS, which can be configured to fail a build if any components’ CVSS score exceeds the threshold. In our example, we use 7 so that it doesn’t fail the current set of dependencies. A score equal to or greater than 7 is generally considered high severity.
The highest CVSS score that we saw in the previous report is 5.9. Now, let’s update the failBuildOnCVSS option to 5.0 and execute the plugin again. Maven will fail the build this time:
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:11.1.1:check (default-cli) on project dependency-check:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '5.0':
[ERROR]
[ERROR] logback-core-1.5.6.jar: CVE-2024-12798(5.900000095367432)
[ERROR]
[ERROR] See the dependency-check report for more details.
5. Conclusion
Incorporating third-party libraries can speed up application development but could introduce vulnerabilities. The OWASP Dependency-Check plugin can help identify the vulnerable dependencies based on CPE and CVE data.
We can integrate it into Maven to find out the components that are vulnerable automatically and even fail the build if there is any dependency with critical CVSS scores.
As always, the full example can be found over on GitHub.
