网络知识 娱乐 java使用dependency-check检查依赖漏洞

java使用dependency-check检查依赖漏洞

发布: 2023年2月14日 10:17:50

demo地址

引入dependnecy-check插件

项目中原有的依赖是这样的

<dependency>n <groupId>io.netty</groupId>n <artifactId>netty-all</artifactId>n <version>4.1.41.Final</version>n </dependency>

<plugin>n <groupId>org.owasp</groupId>n <artifactId>dependency-check-maven</artifactId>n <version>${dependency-check-maven.version}</version>n <configuration>n <suppressionFiles>n <suppressionFile>src/owasp-dependency-check-suppressions.xml</suppressionFile>n </suppressionFiles>n <failBuildOnCVSS>7</failBuildOnCVSS>n <msbuildAnalyzerEnabled>false</msbuildAnalyzerEnabled>n <nodeAnalyzerEnabled>false</nodeAnalyzerEnabled>n <yarnAuditAnalyzerEnabled>false</yarnAuditAnalyzerEnabled>n <pyDistributionAnalyzerEnabled>false</pyDistributionAnalyzerEnabled>n <pyPackageAnalyzerEnabled>false</pyPackageAnalyzerEnabled>n <pipAnalyzerEnabled>false</pipAnalyzerEnabled>n <pipfileAnalyzerEnabled>false</pipfileAnalyzerEnabled>n <retireJsAnalyzerEnabled>false</retireJsAnalyzerEnabled>n <msbuildAnalyzerEnabled>false</msbuildAnalyzerEnabled>n <mixAuditAnalyzerEnabled>false</mixAuditAnalyzerEnabled>n <nugetconfAnalyzerEnabled>false</nugetconfAnalyzerEnabled>n <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>n <skipSystemScope>true</skipSystemScope>n </configuration>n <executions>n <execution>n <goals>n <goal>aggregate</goal>n </goals>n </execution>n </executions>n </plugin>

然后可以通过mvn clean install verify -DskipTests来检测。这个demo下,会输出

[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0': n[ERROR] n[ERROR] netty-all-4.1.41.Final.jar: CVE-2019-16869(7.5), CVE-2021-37136(7.5), CVE-2020-11612(7.5), CVE-2021-37137(7.5), CVE-2019-20445(9.1), CVE-2019-20444(9.1), CVE-2020-7238(7.5)n[ERROR] n[ERROR] See the dependency-check report for more details.

实际使用时,由于dependency-check检查相对耗时,一般通过单独的profile来控制开关

屏蔽CVE漏洞

如果出现dependency-check误报或者是评估该漏洞不涉及,可以通过supression file来屏蔽

屏蔽单一CVE漏洞

n <suppress>n <notes><![CDATA[n file name: zookeeper-prometheus-metrics-3.8.0.jarn ]]></notes>n <sha1>849e8ece2845cb0185d721233906d487a7f1e4cf</sha1>n <cve>CVE-2021-29425</cve>n </suppress>

通过文件正则来屏蔽CVE漏洞

<suppress>n <notes>CVE-2011-1797 FP, see https://github.com/jeremylong/DependencyCheck/issues/4154</notes>n <filePath regex="true">.*netty-tcnative-boringssl-static.*.jar</filePath>n <cve>CVE-2011-1797g</cve>n </suppress>



相关文章