jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.49k stars 1.29k forks source link

Add outdated dependency detection #22

Open stevespringett opened 11 years ago

stevespringett commented 11 years ago

Add the ability to detect if newer versions of a given dependency are available. For Java libraries, this may be possible using technology included in the Versions Maven Plugin.

Add an optional evidence-based analysis step to collect and analyze copyright, build, file stamp and other dates to determine when the library was published. Add a configurable threshold that would flag the library as 'old' if published prior to this date.

Add an optional and separate report that would output all dependencies that have newer versions and if possible, state what the current version is as well as the closest minor version not containing known vulnerabilities. Include another section containing possible out-of-date libraries.

jeremylong commented 10 years ago

With the new Nexus Analyzer - we could probably tweak things a bit and determine if there is a newer version. But this would only apply to dependencies that reside in a nexus repo. Another interesting thing is we could tell if the version approved for use (i.e. the one in your internal companies repo) is being used.

Thoughts?

stevespringett commented 10 years ago

One of my primary reasons for this feature is to flag old libraries that may be unsupported or end-of-life. Struts 1.3 comes to mind. There are many webapps that still use it, yet most of the vulnerabilities being discovered are in 2.x. Is this because 2.x is worse than 1.3, or is it that security researchers aren't looking for vulns in 1.3 anymore. I don't know the answer, but flagging old libraries with a warning would be a good addition.

I like the notion of seeing if the dependency is in the internal Nexus repo. I don't think we can assume it's not approved if it's no there, but again, flagging it as a warning would be a good addition.

colezlaw commented 10 years ago

It occurred to me that Struts 1.3 is an interesting case. What if you're using Struts 1.3.10? Should that generate a warning? Beside the build timestamp, how would one determine that's "old"? If you look on the repository, that's the latest, greatest version (see org.apache.struts:struts-core)

colezlaw commented 10 years ago

As I started implementing this check in the Nexus Analyzer, I decided that it's riddled with questions that need to be answered - some are easier than others to answer.

stevespringett commented 10 years ago

CVE's do not typically include alpha, beta or snapshot releases. There are a few exceptions to this, but in general, CVE's are not published for unreleased software.

The transitive dependency issue is out of scope for Dependency-Check. I think its our obligation to detect old and outdated libraries regardless of their transitive dependencies. A9, like any new type of issue, requires a bit of push back in order to make non-security developers aware of the situation.

I'm a big fan of simplicity, and envisioned something like this:

Ability to find 'old' libraries. 'old' can be defined in the properties file by using a date. Perhaps start with 2 years.

A secondary property file would be used to determine how many revisions out of date a library is. Perhaps a default of 3. Anything 4 or more revisions out of date and it will be flagged. This would only be used for releases, not alpha, beta or snapshot.

colezlaw commented 10 years ago

Okay, I like the idea of putting some sort of a line in the sand on age. And that only takes one more request back to Nexus, and it avoids a lot of the complication on when Nexus says that 20130405.122731 is "newer" than version 1.3 because 20130405 is bigger than 1.

augustd commented 9 years ago

For Maven at least, this function can be handled by the Versions Plugin:

http://mojo.codehaus.org/versions-maven-plugin/display-dependency-updates-mojo.html

jeremylong commented 9 years ago

Some preliminary work is in progress in the Maven plugin to list new versions of the identified dependency.

--Jeremy

dwvisser commented 9 years ago

Versions plugin page for Maven has moved: http://www.mojohaus.org/versions-maven-plugin/display-dependency-updates-mojo.html

I wonder if instead of trying to pull this functionality into Dependency Check, we could document on the site about the Versions plugin, and mention it in the output the Dependency Check Maven plugin.

jeremylong commented 9 years ago

The issue with just documenting dependency-updates-mogo is that not everyone is using Maven. Worst case we have the CLI.