How to detect known Vulnerability of Java or C#?
The objective of the article is share one tool that can help to detect known CVE (Common Vulnerability Exploit) of your Java or C# library.
- What security issue it may have with uses of 3rd lib?
- How to use the tool?
- What information it can tell?
Security Issue – “Known Vulnerability”
Uses of known vulnerability to attack the application is one of common approach for hacker. Therefore, when our application use external 3rd party library, we need to check if the 3rd library includes known vulnerability or not.
The known vulnerability can also refer to CVE “Common Vulnerability Exploit”
- https://cve.mitre.org/
Scanning Tools to detect CVE of 3rd library
There is one project running by OWASP. It’s “Dependency check”. It can scan the C# or Java library versions and vendor name and then tell if there is known vulnerability CVE of the existing library files.
Where to download it?
http://dl.bintray.com/jeremy-long/owasp/dependency-check-1.2.9-release.zip
Once the zip is downloaded, unzip to a specific folder. Execute the following command directly.
Windows
dependency-check.bat --app "My App Name" --scan "c:\java\application\lib" |
Mac or Linux
dependency-check.sh --app "My App Name" --scan "/java/application/lib" |
Scanning Results
Refer for the sample report of the scanning results.
http://jeremylong.github.io/DependencyCheck/SampleReport.html
Reference
http://jeremylong.github.io/DependencyCheck/dependency-check-cli/installation.html