0%

OWASP-Dependency-Check的使用与结果解析

Pre:

SDL中使用到Dependency-Check工具对源代码的第三方依赖库进行扫描。


简介:

OWASP是开源的、非盈利的全球性安全组织,致力于应用软件的安全研究。OWASP的使命是使应用软件更加安全,使企业和组织能够对应用安全风险作出更清晰的决策。

OWASP的研究成果被美、欧、日等多个国家的32个政府与行业组织机构引用成为近百项国际法规、标准、指南和行业行为准则。

Dependency-Check是OWASP(Open Web Application Security Project)的一个实用开源程序,用于识别项目依赖项并检查是否存在任何已知的,公开披露的漏洞。

目前,已支持Java.NETRubyPHPNode.jsPython等语言编写的程序,并为C/C++构建系统(autoconf和cmake)提供了有限的支持。而且该工具还是OWASP Top 10的解决方案的一部分。

Dependency-Check支持面广(支持多种语言)、可集成性强,作为一款开源工具,在多年来的发展中已经支持和许多主流的软件进行集成,比如:命令行、Ant、Maven、Gradle、Jenkins、Sonar等;具备使用方便,落地简单等优势。


实现原理:

依赖性检查可用于扫描应用程序(及其依赖库),执行检查时会将 Common Platform Enumeration (CPE)美国国家漏洞数据库及NPM Public Advisories库下载到本地,再通过核心引擎中的一系列分析器检查项目依赖性,收集有关依赖项的信息,然后根据收集的依赖项信息与本地的CPE&NPM库数据进行对比,如果检查发现扫描的组件存在已知的易受攻击的漏洞则标识,最后生成报告进行展示。


命令参数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
.\dependency-check.bat --help

usage: Dependency-Check Core [--advancedHelp] [--enableExperimental]
[--exclude <pattern>] [-f <format>] [--failOnCVSS <score>] [-h]
[--junitFailOnCVSS <score>] [-l <file>] [-n] [-o <path>]
[--prettyPrint] [--project <name>] [-s <path>] [--suppression
<file>] [-v]

Dependency-Check Core can be used to identify if there are any known CVE
vulnerabilities in libraries utilized by an application. Dependency-Check
Core will automatically update required data from the Internet, such as
the CVE and CPE data files from nvd.nist.gov.

--advancedHelp Print the advanced help message.
--enableExperimental Enables the experimental analyzers.
--exclude <pattern> Specify an exclusion pattern. This option
can be specified multiple times and it
accepts Ant style exclusions.
-f,--format <format> The report format (HTML, XML, CSV, JSON,
JUNIT, or ALL). The default is HTML.
Multiple format parameters can be
specified.
--failOnCVSS <score> Specifies if the build should be failed if
a CVSS score above a specified level is
identified. The default is 11; since the
CVSS scores are 0-10, by default the build
will never fail.
-h,--help Print this message.
--junitFailOnCVSS <score> Specifies the CVSS score that is
considered a failure when generating the
junit report. The default is 0.
-l,--log <file> The file path to write verbose logging
information.
-n,--noupdate Disables the automatic updating of the CPE
data.
-o,--out <path> The folder to write reports to. This
defaults to the current directory. It is
possible to set this to a specific file
name if the format argument is not set to
ALL.
--prettyPrint When specified the JSON and XML report
formats will be pretty printed.
--project <name> The name of the project being scanned.
-s,--scan <path> The path to scan - this option can be
specified multiple times. Ant style paths
are supported (e.g. 'path/**/*.jar'); if
using Ant style paths it is highly
recommended to quote the argument value.
--suppression <file> The file path to the suppression XML file.
This can be specified more then once to
utilize multiple suppression files
-v,--version Print the version information.

我使用的扫描命令:

1
2
# -n 是不开启自动更新
sh /opt/devsecops/tools/dependency-check/bin/dependency-check.sh -f 'JSON' -n --project 'dc_check' --scan /opt/xxx/jar_lib --out /opt/xxx/dc.json

使用的更新命令:

1
2
# 仅更新
sh /opt/devsecops/tools/dependency-check/bin/dependency-check.sh --updateonly

结果解析:

对dc的扫描结果json进行解析

json整体结构:

1
2
3
4
5
6
{
"reportSchema": "1.1", # 报告结构
"scanInfo": {...}, # 扫描信息
"projectInfo": {...}, # 项目信息
"dependencies": [...],# 依赖信息
}

最主要是依赖信息的那一项


报告结构、扫描信息、项目信息

20200821144233

这里面没有什么重要的信息。可略过


依赖信息:

整体结构:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
{
"isVirtual": false,
"fileName": "jackson-databind-2.9.0.pr4.jar", # 文件名
"filePath": "\/opt\/devsecops\/logs\/ec-cart_V20200814024805\/jar_lib\/jackson-databind-2.9.0.pr4.jar", # 文件路径
"md5": "a1a9284e812952d15736794ef252dfd9", # md5值
"sha1": "e96baca7953374a502eb995d3901cad7580d3741",
"sha256": "b9f004b868004f84745ff844a9e0f05367cd5b8dc1a69944bebdec035ea00146",
"description": "General data-binding functionality for Jackson: works on core streaming API", # 该jar包的作用描述
"license": "http:\/\/www.apache.org\/licenses\/LICENSE-2.0.txt",
"evidenceCollected": {...},# 依据信息
"packages": [...], #
"vulnerabilityIds": [...], # cpe表达式
"vulnerabilities": [...],
}

evidenceCollected依据信息:

结构:

20200819221938

详细内容:

20200819221957

从各种来源来判断这个组件的vendor(供应商)、Product(产品名)、Version(版本号)

20200821104327


packages&vulnerabilityIds:

20200821110733

这两项主要是通过pkgcpe表达式识别标识的信息

20200821142630

其中vulnerabilityIds->confidence里的是这个风险的可信度

20200821143026

为了减少误报,我们一般选择HIGHESTHIGH的可信度的风险信息。


vulnerabilities漏洞信息:

vulnerabilities是一个漏洞列表,里面包含了某组件当前版本涉及到的所有cve

jackson-databind-2.9.0.pr4.jar为例,它的内容如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
{
"source": "NVD",
"name": "CVE-2017-17485", # cve编号
"severity": "CRITICAL", # 风险等级
"cvssv2": {
"score": 7.5, # cvss v2的评分
"accessVector": "NETWORK",
"accessComplexity": "LOW",
"authenticationr": "NONE",
"confidentialImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"availabilityImpact": "PARTIAL",
"severity": "HIGH"
},
"cvssv3": {
"baseScore": 9.8, # cvss v3的评分
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseSeverity": "CRITICAL"
},
"cwes": [
"CWE-502"
],
"description": "FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.", # 描述
"notes": "",
"references": [ # 参考链接
{
"source": "REDHAT",
"url": "https:\/\/access.redhat.com\/errata\/RHSA-2019:3149",
"name": "RHSA-2019:3149"
},
{
"source": "CONFIRM",
"url": "https:\/\/support.hpe.com\/hpsc\/doc\/public\/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us",
"name": "https:\/\/support.hpe.com\/hpsc\/doc\/public\/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us"
},
{
"source": "REDHAT",
"url": "https:\/\/access.redhat.com\/errata\/RHSA-2018:1449",
"name": "RHSA-2018:1449"
},
{
"source": "REDHAT",
"url": "https:\/\/access.redhat.com\/errata\/RHSA-2018:0342",
"name": "RHSA-2018:0342"
},
{
"source": "MISC",
"url": "https:\/\/github.com\/irsl\/jackson-rce-via-spel\/",
"name": "https:\/\/github.com\/irsl\/jackson-rce-via-spel\/"
},
{
"source": "CONFIRM",
"url": "https:\/\/security.netapp.com\/advisory\/ntap-20180201-0003\/",
"name": "https:\/\/security.netapp.com\/advisory\/ntap-20180201-0003\/"
},
{
"source": "REDHAT",
"url": "https:\/\/access.redhat.com\/errata\/RHSA-2019:1782",
"name": "RHSA-2019:1782"
},
{
"source": "REDHAT",
"url": "https:\/\/access.redhat.com\/errata\/RHSA-2019:2858",
"name": "RHSA-2019:2858"
},
{
"source": "REDHAT",
"url": "https:\/\/access.redhat.com\/errata\/RHSA-2018:0478",
"name": "RHSA-2018:0478"
},
{
"source": "REDHAT",
"url": "https:\/\/access.redhat.com\/errata\/RHSA-2018:0481",
"name": "RHSA-2018:0481"
},
{
"source": "CONFIRM",
"url": "https:\/\/github.com\/FasterXML\/jackson-databind\/issues\/1855",
"name": "https:\/\/github.com\/FasterXML\/jackson-databind\/issues\/1855"
},
{
"source": "BUGTRAQ",
"url": "http:\/\/www.securityfocus.com\/archive\/1\/541652\/100\/0\/threaded",
"name": "20180109 CVE-2017-17485: one more way of rce in jackson-databind when defaultTyping+objects are used"
},
{
"source": "REDHAT",
"url": "https:\/\/access.redhat.com\/errata\/RHSA-2018:0480",
"name": "RHSA-2018:0480"
},
{
"source": "REDHAT",
"url": "https:\/\/access.redhat.com\/errata\/RHSA-2018:2930",
"name": "RHSA-2018:2930"
},
{
"source": "REDHAT",
"url": "https:\/\/access.redhat.com\/errata\/RHSA-2018:0116",
"name": "RHSA-2018:0116"
},
{
"source": "REDHAT",
"url": "https:\/\/access.redhat.com\/errata\/RHSA-2018:1447",
"name": "RHSA-2018:1447"
},
{
"source": "REDHAT",
"url": "https:\/\/access.redhat.com\/errata\/RHSA-2018:1450",
"name": "RHSA-2018:1450"
},
{
"source": "REDHAT",
"url": "https:\/\/access.redhat.com\/errata\/RHSA-2019:3892",
"name": "RHSA-2019:3892"
},
{
"source": "REDHAT",
"url": "https:\/\/access.redhat.com\/errata\/RHSA-2019:1797",
"name": "RHSA-2019:1797"
},
{
"source": "REDHAT",
"url": "https:\/\/access.redhat.com\/errata\/RHSA-2018:0479",
"name": "RHSA-2018:0479"
},
{
"source": "DEBIAN",
"url": "https:\/\/www.debian.org\/security\/2018\/dsa-4114",
"name": "DSA-4114"
},
{
"source": "OSSINDEX",
"url": "https:\/\/ossindex.sonatype.org\/vuln\/b85a00e3-7d9b-49cf-9b19-b73f8ee60275",
"name": "[CVE-2017-17485] Improper Control of Generation of Code (\"Code Injection\")"
},
{
"source": "REDHAT",
"url": "https:\/\/access.redhat.com\/errata\/RHSA-2018:1448",
"name": "RHSA-2018:1448"
},
{
"source": "REDHAT",
"url": "https:\/\/access.redhat.com\/errata\/RHSA-2018:1451",
"name": "RHSA-2018:1451"
}
],
"vulnerableSoftware": [ # 含cve的cpe表达式列表
{
"software": {
"id": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
"vulnerabilityIdMatched": "true",
"versionStartExcluding": "2.9.0",
"versionEndExcluding": "2.9.4"
}
},
{
"software": {
"id": "cpe:2.3:a:redhat:jboss_bpm_suite:6.4.11:*:*:*:*:*:*:*"
}
},
{
"software": {
"id": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*"
}
},
{
"software": {
"id": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.0:*:*:*:*:*:*:*"
}
},
{
"software": {
"id": "cpe:2.3:a:redhat:jboss_brms:6.4.10:*:*:*:*:*:*:*"
}
},
{
"software": {
"id": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1.0:*:*:*:*:*:*:*"
}
},
{
"software": {
"id": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.8.0",
"versionEndExcluding": "2.8.11"
}
},
{
"software": {
"id": "cpe:2.3:a:fasterxml:jackson:*:*:*:*:*:*:*:*",
"versionStartIncluding": "1.0.0",
"versionEndIncluding": "1.9"
}
},
{
"software": {
"id": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.19:*:*:*:*:*:*:*"
}
},
{
"software": {
"id": "cpe:2.3:a:redhat:jboss_operations_network:3.3.10:*:*:*:*:*:*:*"
}
}

直观点的话,就是html格式里的内容

20200821143836


refs: