OWASP Dependency Checkで使用しているJavaライブラリの脆弱性をチェックすることができます。
今回はMavenのpluginを使用します。
設定
pom.xmlに以下を追記します。
<plugins> ・・・ <plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> <version>2.0.0</version> <configuration> <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled> </configuration> <executions> <execution> <goals> <goal>check</goal> </goals> </execution> </executions> </plugin> ・・・ </plugins>
脆弱性のチェック
pom.xmlへの追記が終わった状態で以下コマンドをを実行します
mvn dependency-check:check
すると以下のような出力がされます
[INFO] Scanning for projects... [INFO] [INFO] ------------------------------------------------------------------------ [INFO] Building sample-app 1.0.0 [INFO] ------------------------------------------------------------------------ [INFO] [INFO] --- dependency-check-maven:2.0.0:check (default-cli) @ srcl --- [INFO] Checking for updates [INFO] starting getUpdatesNeeded() ... [INFO] Download Started for NVD CVE - Modified [INFO] Download Complete for NVD CVE - Modified (5176 ms) [INFO] Processing Started for NVD CVE - Modified [INFO] Processing Complete for NVD CVE - Modified (6004 ms) [INFO] Begin database maintenance. [INFO] End database maintenance. [INFO] Check for updates complete (14381 ms) [INFO] Analysis Started [INFO] Finished Archive Analyzer (1 seconds) [INFO] Finished File Name Analyzer (0 seconds) [INFO] Finished Jar Analyzer (0 seconds) [INFO] Finished Central Analyzer (4 seconds) [INFO] Finished Dependency Merging Analyzer (0 seconds) [INFO] Finished Version Filter Analyzer (0 seconds) [INFO] Finished Hint Analyzer (0 seconds) [INFO] Created CPE Index (1 seconds) [INFO] Finished CPE Analyzer (1 seconds) [INFO] Finished False Positive Analyzer (0 seconds) [INFO] Finished Cpe Suppression Analyzer (0 seconds) [INFO] Finished NVD CVE Analyzer (0 seconds) [INFO] Finished Vulnerability Suppression Analyzer (0 seconds) [INFO] Finished Dependency Bundling Analyzer (0 seconds) [INFO] Analysis Complete (8 seconds) [WARNING] One or more dependencies were identified with known vulnerabilities in sample-app: commons-beanutils-1.8.3.jar (commons-beanutils:commons-beanutils:1.8.3, cpe:/a:apache:commons_beanutils:1.8.3) : CVE-2014-0114 See the dependency-check report for more details. [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 27.974 s [INFO] Finished at: 2017-07-06T18:33:09+09:00 [INFO] Final Memory: 25M/899M [INFO] ------------------------------------------------------------------------
今回の結果ではcommons-beanutilsの1.8.3 にCVE-2014-0114の脆弱性があることが指摘されています。
というわけで、簡単にJavaライブラリの脆弱性チェックができました。
