• How to detect known Vulnerability of Java or C#?

    The objective of the article is share one tool that can help to detect known CVE (Common Vulnerability Exploit) of your Java or C# library.

    • What security issue it may have with uses of 3rd lib?
    • How to use the tool?
    • What information it can tell?

     

    Security Issue – “Known Vulnerability”

    Uses of known vulnerability to attack the application is one of common approach for hacker. Therefore, when our application use external 3rd party library, we need to check if the 3rd library includes known vulnerability or not.

    The known vulnerability can also refer to CVE “Common Vulnerability Exploit”

    • https://cve.mitre.org/

     

    Scanning Tools to detect CVE of 3rd library

    There is one project running by OWASP. It’s “Dependency check”. It can scan the C# or Java library versions and vendor name and then tell if there is known vulnerability CVE of the existing library files.

    Where to download it?

    http://dl.bintray.com/jeremy-long/owasp/dependency-check-1.2.9-release.zip

    Once the zip is downloaded, unzip to a specific folder. Execute the following command directly.

    Windows

    dependency-check.bat --app "My App Name" --scan "c:\java\application\lib"

    Mac or Linux

    dependency-check.sh --app "My App Name" --scan "/java/application/lib"

    Scanning Results

    Refer for the sample report of the scanning results.

    http://jeremylong.github.io/DependencyCheck/SampleReport.html

     

    Reference

    http://jeremylong.github.io/DependencyCheck/dependency-check-cli/installation.html

    Posted by Tony @ 5:08 pm

    Tags: , , ,

  • Leave a Reply

    Your email address will not be published.