How to detect known Vulnerability of Java or C#?

How to detect known Vulnerability of Java or C#?

The objective of the article is share one tool that can help to detect known CVE (Common Vulnerability Exploit) of your Java or C# library.

  • What security issue it may have with uses of 3rd lib?
  • How to use the tool?
  • What information it can tell?

 

Security Issue – “Known Vulnerability”

Uses of known vulnerability to attack the application is one of common approach for hacker. Therefore, when our application use external 3rd party library, we need to check if the 3rd library includes known vulnerability or not.

The known vulnerability can also refer to CVE “Common Vulnerability Exploit”

  • https://cve.mitre.org/

 

Scanning Tools to detect CVE of 3rd library

There is one project running by OWASP. It’s “Dependency check”. It can scan the C# or Java library versions and vendor name and then tell if there is known vulnerability CVE of the existing library files.

Where to download it?

http://dl.bintray.com/jeremy-long/owasp/dependency-check-1.2.9-release.zip

Once the zip is downloaded, unzip to a specific folder. Execute the following command directly.

Windows

dependency-check.bat --app "My App Name" --scan "c:\java\application\lib"

Mac or Linux

dependency-check.sh --app "My App Name" --scan "/java/application/lib"

Scanning Results

Refer for the sample report of the scanning results.

http://jeremylong.github.io/DependencyCheck/SampleReport.html

 

Reference

http://jeremylong.github.io/DependencyCheck/dependency-check-cli/installation.html

Leave a Reply

Your email address will not be published. Required fields are marked *