search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.35k stars 1.27k forks source link

Dependency-check not scanning all the jars in the given directory #6985

Open champaanand opened 2 weeks ago

champaanand commented 2 weeks ago

Hello , We have a requirement to scan the jar files which are kept under one directory. (dependency-check version 10.0.4) Command used - ./bin/dependency-check.sh --out . --format CSV --nvdApiKey xxxxxxx --scan /root/dependency-check/jars_3.1.3

While this command shows the report/vuln for 4 jars only while I have around 26 jars in the directory jars_3.1.3.

If I run the command separately for each jar it does report the vulnerability for all the 26 jars (./bin/dependency-check.sh --out . --format CSV --nvdApiKey xxxxxxx --scan /root/dependency-check/jars_3.1.3/abs.jar
./bin/dependency-check.sh --out . --format CSV --nvdApiKey xxxxxxx --scan /root/dependency-check/jars_3.1.3/def.jar) Please let me know if there is anything missing.

champaanand commented 2 weeks ago

Tried the below option as well: (all the jars are present under ./jars_3.1.3/ directory ./bin/dependency-check.sh --out . --format CSV --nvdApiKey xxxxxx --scan ./jars_3.1.3/*.jar

jeremylong commented 2 weeks ago

By default ODC will combine related JAR files. See if there are related dependencies listed.

On Tue, Sep 24, 2024, 10:22 AM champaanand @.***> wrote:

Tried the below option as well: (all the jars are present under ./jars_3.1.3/ directory ./bin/dependency-check.sh --out . --format CSV --nvdApiKey xxxxxx --scan ./jars_3.1.3/*.jar

— Reply to this email directly, view it on GitHub https://github.com/jeremylong/DependencyCheck/issues/6985#issuecomment-2371447201, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGSVQSLMOI5INASYK4AEVLZYFYRXAVCNFSM6AAAAABOYNITVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNZRGQ2DOMRQGE . You are receiving this because you are subscribed to this thread.Message ID: @.***>

champaanand commented 2 weeks ago

All the 26 jars are independent. (This is not jenkins integrated, we are running on the command line) Any parameter do we need to set?

jeremylong commented 2 weeks ago

did you see in the report the related JARs section(s)?

champaanand commented 2 weeks ago

@jeremylong I don't see any column with the name related in the report.

"Project","ScanDate","DependencyName","DependencyPath","Description","License","Md5","Sha1","Identifiers","CPE","CVE","CWE","Vulnerability","Source","CVSSv2_Severity","CVSSv2_Score","CVSSv2","CVSSv3_BaseSeverity","CVSSv3_BaseScore","CVSSv3","CPE Confidence","Evidence Count","VendorProject","Product","Name","DateAdded","ShortDescription","RequiredAction","DueDate","Notes"

Searched for the missing jar names in the report, they are not found.

jeremylong commented 1 week ago

The CSV report is garbage for actual analysis of the CVEs and how things are reported. Look at the HTML report.

champaanand commented 6 days ago

HTML report shows the related jars. CSV format is not recommended is it?

jeremylong commented 5 days ago

I only created the CSV report because of the many requests for it - in my opinion, it isn't useful because it is hard to determine if something is a false positive by just looking at the CSV report. Additionally, the HTML report gives you the ability to generate suppression rules in case you run into FP.

champaanand commented 5 days ago

great, thanks for the response @jeremylong