Pre:

SDL中使用到Dependency-Check工具对源代码的第三方依赖库进行扫描。

简介:

OWASP是开源的、非盈利的全球性安全组织，致力于应用软件的安全研究。OWASP的使命是使应用软件更加安全，使企业和组织能够对应用安全风险作出更清晰的决策。

OWASP的研究成果被美、欧、日等多个国家的32个政府与行业组织机构引用成为近百项国际法规、标准、指南和行业行为准则。

Dependency-Check是OWASP（Open Web Application Security Project）的一个实用开源程序，用于识别项目依赖项并检查是否存在任何已知的，公开披露的漏洞。

目前，已支持Java、.NET、Ruby、PHP、Node.js、Python等语言编写的程序，并为C/C++构建系统（autoconf和cmake）提供了有限的支持。而且该工具还是OWASP Top 10的解决方案的一部分。

Dependency-Check支持面广（支持多种语言）、可集成性强，作为一款开源工具，在多年来的发展中已经支持和许多主流的软件进行集成，比如：命令行、Ant、Maven、Gradle、Jenkins、Sonar等；具备使用方便，落地简单等优势。

实现原理:

依赖性检查可用于扫描应用程序（及其依赖库），执行检查时会将 Common Platform Enumeration (CPE)美国国家漏洞数据库及NPM Public Advisories库下载到本地，再通过核心引擎中的一系列分析器检查项目依赖性，收集有关依赖项的信息，然后根据收集的依赖项信息与本地的CPE&NPM库数据进行对比，如果检查发现扫描的组件存在已知的易受攻击的漏洞则标识，最后生成报告进行展示。

命令参数:

.\dependency-check.bat --help

usage: Dependency-Check Core [--advancedHelp] [--enableExperimental]
       [--exclude <pattern>] [-f <format>] [--failOnCVSS <score>] [-h]
       [--junitFailOnCVSS <score>] [-l <file>] [-n] [-o <path>]
       [--prettyPrint] [--project <name>] [-s <path>] [--suppression
       <file>] [-v]

Dependency-Check Core can be used to identify if there are any known CVE
vulnerabilities in libraries utilized by an application. Dependency-Check
Core will automatically update required data from the Internet, such as
the CVE and CPE data files from nvd.nist.gov.

    --advancedHelp              Print the advanced help message.
    --enableExperimental        Enables the experimental analyzers.
    --exclude <pattern>         Specify an exclusion pattern. This option
                                can be specified multiple times and it
                                accepts Ant style exclusions.
 -f,--format <format>           The report format (HTML, XML, CSV, JSON,
                                JUNIT, or ALL). The default is HTML.
                                Multiple format parameters can be
                                specified.
    --failOnCVSS <score>        Specifies if the build should be failed if
                                a CVSS score above a specified level is
                                identified. The default is 11; since the
                                CVSS scores are 0-10, by default the build
                                will never fail.
 -h,--help                      Print this message.
    --junitFailOnCVSS <score>   Specifies the CVSS score that is
                                considered a failure when generating the
                                junit report. The default is 0.
 -l,--log <file>                The file path to write verbose logging
                                information.
 -n,--noupdate                  Disables the automatic updating of the CPE
                                data.
 -o,--out <path>                The folder to write reports to. This
                                defaults to the current directory. It is
                                possible to set this to a specific file
                                name if the format argument is not set to
                                ALL.
    --prettyPrint               When specified the JSON and XML report
                                formats will be pretty printed.
    --project <name>            The name of the project being scanned.
 -s,--scan <path>               The path to scan - this option can be
                                specified multiple times. Ant style paths
                                are supported (e.g. 'path/**/*.jar'); if
                                using Ant style paths it is highly
                                recommended to quote the argument value.
    --suppression <file>        The file path to the suppression XML file.
                                This can be specified more then once to
                                utilize multiple suppression files
 -v,--version                   Print the version information.

我使用的扫描命令:

1 2	# -n 是不开启自动更新 sh /opt/devsecops/tools/dependency-check/bin/dependency-check.sh -f 'JSON' -n --project 'dc_check' --scan /opt/xxx/jar_lib --out /opt/xxx/dc.json

使用的更新命令:

1 2	# 仅更新 sh /opt/devsecops/tools/dependency-check/bin/dependency-check.sh --updateonly

结果解析:

对dc的扫描结果json进行解析

json整体结构:

{
   "reportSchema": "1.1", # 报告结构
   "scanInfo": {...}, # 扫描信息
   "projectInfo": {...}, # 项目信息
   "dependencies": [...],# 依赖信息
}

最主要是依赖信息的那一项

报告结构、扫描信息、项目信息

这里面没有什么重要的信息。可略过

依赖信息:

整体结构:

{
     "isVirtual": false,
     "fileName": "jackson-databind-2.9.0.pr4.jar", # 文件名
     "filePath": "\/opt\/devsecops\/logs\/ec-cart_V20200814024805\/jar_lib\/jackson-databind-2.9.0.pr4.jar", # 文件路径
     "md5": "a1a9284e812952d15736794ef252dfd9", # md5值
     "sha1": "e96baca7953374a502eb995d3901cad7580d3741",
     "sha256": "b9f004b868004f84745ff844a9e0f05367cd5b8dc1a69944bebdec035ea00146",
     "description": "General data-binding functionality for Jackson: works on core streaming API", # 该jar包的作用描述
     "license": "http:\/\/www.apache.org\/licenses\/LICENSE-2.0.txt",
     "evidenceCollected": {...},# 依据信息
     "packages": [...], # 
     "vulnerabilityIds": [...], # cpe表达式
      "vulnerabilities": [...],
}

evidenceCollected依据信息:

结构:

详细内容:

从各种来源来判断这个组件的vendor(供应商)、Product(产品名)、Version(版本号)

packages&vulnerabilityIds:

这两项主要是通过pkg、cpe表达式识别标识的信息

其中vulnerabilityIds->confidence里的是这个风险的可信度

为了减少误报,我们一般选择HIGHEST和HIGH的可信度的风险信息。

vulnerabilities漏洞信息：

vulnerabilities是一个漏洞列表，里面包含了某组件当前版本涉及到的所有cve

以jackson-databind-2.9.0.pr4.jar为例,它的内容如下

{
         "source": "NVD",
         "name": "CVE-2017-17485", # cve编号
         "severity": "CRITICAL", # 风险等级
         "cvssv2": {
           "score": 7.5,  # cvss v2的评分
           "accessVector": "NETWORK",
           "accessComplexity": "LOW",
           "authenticationr": "NONE",
           "confidentialImpact": "PARTIAL",
           "integrityImpact": "PARTIAL",
           "availabilityImpact": "PARTIAL",
           "severity": "HIGH"
         },
         "cvssv3": {
           "baseScore": 9.8, # cvss v3的评分
           "attackVector": "NETWORK",
           "attackComplexity": "LOW",
           "privilegesRequired": "NONE",
           "userInteraction": "NONE",
           "scope": "UNCHANGED",
           "confidentialityImpact": "HIGH",
           "integrityImpact": "HIGH",
           "availabilityImpact": "HIGH",
           "baseSeverity": "CRITICAL"
         },
         "cwes": [
           "CWE-502"
         ],
         "description": "FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.", # 描述
         "notes": "",
         "references": [ # 参考链接
           {
             "source": "REDHAT",
             "url": "https:\/\/access.redhat.com\/errata\/RHSA-2019:3149",
             "name": "RHSA-2019:3149"
           },
           {
             "source": "CONFIRM",
             "url": "https:\/\/support.hpe.com\/hpsc\/doc\/public\/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us",
             "name": "https:\/\/support.hpe.com\/hpsc\/doc\/public\/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us"
           },
           {
             "source": "REDHAT",
             "url": "https:\/\/access.redhat.com\/errata\/RHSA-2018:1449",
             "name": "RHSA-2018:1449"
           },
           {
             "source": "REDHAT",
             "url": "https:\/\/access.redhat.com\/errata\/RHSA-2018:0342",
             "name": "RHSA-2018:0342"
           },
           {
             "source": "MISC",
             "url": "https:\/\/github.com\/irsl\/jackson-rce-via-spel\/",
             "name": "https:\/\/github.com\/irsl\/jackson-rce-via-spel\/"
           },
           {
             "source": "CONFIRM",
             "url": "https:\/\/security.netapp.com\/advisory\/ntap-20180201-0003\/",
             "name": "https:\/\/security.netapp.com\/advisory\/ntap-20180201-0003\/"
           },
           {
             "source": "REDHAT",
             "url": "https:\/\/access.redhat.com\/errata\/RHSA-2019:1782",
             "name": "RHSA-2019:1782"
           },
           {
             "source": "REDHAT",
             "url": "https:\/\/access.redhat.com\/errata\/RHSA-2019:2858",
             "name": "RHSA-2019:2858"
           },
           {
             "source": "REDHAT",
             "url": "https:\/\/access.redhat.com\/errata\/RHSA-2018:0478",
             "name": "RHSA-2018:0478"
           },
           {
             "source": "REDHAT",
             "url": "https:\/\/access.redhat.com\/errata\/RHSA-2018:0481",
             "name": "RHSA-2018:0481"
           },
           {
             "source": "CONFIRM",
             "url": "https:\/\/github.com\/FasterXML\/jackson-databind\/issues\/1855",
             "name": "https:\/\/github.com\/FasterXML\/jackson-databind\/issues\/1855"
           },
           {
             "source": "BUGTRAQ",
             "url": "http:\/\/www.securityfocus.com\/archive\/1\/541652\/100\/0\/threaded",
             "name": "20180109 CVE-2017-17485: one more way of rce in jackson-databind when defaultTyping+objects are used"
           },
           {
             "source": "REDHAT",
             "url": "https:\/\/access.redhat.com\/errata\/RHSA-2018:0480",
             "name": "RHSA-2018:0480"
           },
           {
             "source": "REDHAT",
             "url": "https:\/\/access.redhat.com\/errata\/RHSA-2018:2930",
             "name": "RHSA-2018:2930"
           },
           {
             "source": "REDHAT",
             "url": "https:\/\/access.redhat.com\/errata\/RHSA-2018:0116",
             "name": "RHSA-2018:0116"
           },
           {
             "source": "REDHAT",
             "url": "https:\/\/access.redhat.com\/errata\/RHSA-2018:1447",
             "name": "RHSA-2018:1447"
           },
           {
             "source": "REDHAT",
             "url": "https:\/\/access.redhat.com\/errata\/RHSA-2018:1450",
             "name": "RHSA-2018:1450"
           },
           {
             "source": "REDHAT",
             "url": "https:\/\/access.redhat.com\/errata\/RHSA-2019:3892",
             "name": "RHSA-2019:3892"
           },
           {
             "source": "REDHAT",
             "url": "https:\/\/access.redhat.com\/errata\/RHSA-2019:1797",
             "name": "RHSA-2019:1797"
           },
           {
             "source": "REDHAT",
             "url": "https:\/\/access.redhat.com\/errata\/RHSA-2018:0479",
             "name": "RHSA-2018:0479"
           },
           {
             "source": "DEBIAN",
             "url": "https:\/\/www.debian.org\/security\/2018\/dsa-4114",
             "name": "DSA-4114"
           },
           {
             "source": "OSSINDEX",
             "url": "https:\/\/ossindex.sonatype.org\/vuln\/b85a00e3-7d9b-49cf-9b19-b73f8ee60275",
             "name": "[CVE-2017-17485]  Improper Control of Generation of Code (\"Code Injection\")"
           },
           {
             "source": "REDHAT",
             "url": "https:\/\/access.redhat.com\/errata\/RHSA-2018:1448",
             "name": "RHSA-2018:1448"
           },
           {
             "source": "REDHAT",
             "url": "https:\/\/access.redhat.com\/errata\/RHSA-2018:1451",
             "name": "RHSA-2018:1451"
           }
         ],
         "vulnerableSoftware": [ # 含cve的cpe表达式列表
           {
             "software": {
               "id": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
               "vulnerabilityIdMatched": "true",
               "versionStartExcluding": "2.9.0",
               "versionEndExcluding": "2.9.4"
             }
           },
           {
             "software": {
               "id": "cpe:2.3:a:redhat:jboss_bpm_suite:6.4.11:*:*:*:*:*:*:*"
             }
           },
           {
             "software": {
               "id": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*"
             }
           },
           {
             "software": {
               "id": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.0:*:*:*:*:*:*:*"
             }
           },
           {
             "software": {
               "id": "cpe:2.3:a:redhat:jboss_brms:6.4.10:*:*:*:*:*:*:*"
             }
           },
           {
             "software": {
               "id": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1.0:*:*:*:*:*:*:*"
             }
           },
           {
             "software": {
               "id": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
               "versionStartIncluding": "2.8.0",
               "versionEndExcluding": "2.8.11"
             }
           },
           {
             "software": {
               "id": "cpe:2.3:a:fasterxml:jackson:*:*:*:*:*:*:*:*",
               "versionStartIncluding": "1.0.0",
               "versionEndIncluding": "1.9"
             }
           },
           {
             "software": {
               "id": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.19:*:*:*:*:*:*:*"
             }
           },
           {
             "software": {
               "id": "cpe:2.3:a:redhat:jboss_operations_network:3.3.10:*:*:*:*:*:*:*"
             }
           }

直观点的话,就是html格式里的内容

Trash Bin

OWASP-Dependency-Check的使用与结果解析