What is OWASP?

The Open Web Application Security Project (OWASP) is an online nonprofit making organization made up of volunteers from all over the world who seek to help security experts to protect their web applications from cyber-attacks. Founded in 2001, OWASP produces freely available tools, documentations, methodologies, articles, and technologies.

Today, OWASP has over 32,000 volunteers who are actively involved in security incidences assessments and research. One of their core principles that has enabled their popularity is that all of their materials are openly available for anyone to use to secure their web application.

This article shows how to use the OWASP Dependency Checker to scan for vulnerabilities in a Node-JS Code.

OWASP Dependency Checker

OWASP Dependency Checker is an open source Software Composition Analysis (SCA) tool that identifies project dependencies on pen source code and checks for known vulnerabilities associated with that code. This tool is part of the solution to one of OWASP Top 10 of 2017 titled “A9 – Using Components with Known Vulnerabilities”.

Today the OWASP Dependency Checker offers full support for .NET and .java programming languages, experimental support for Node.JS, Python and Ruby, and limited support for C and C++ programming languages.

Importance of Code Security

It is estimated that eighty percent of the code in today’s applications come from open source libraries and frameworks. What is more, approximately 27% of libraries available in the internet have well known and publicly disclosed vulnerabilities.

What is worrying, most organizations and individual developers continue to use the libraries in their code without addressing the vulnerabilities. Using a vulnerable library can allow malicious actors to access confidential data, perform transactions, and in some cases gain full control of an application.

As such, developers must be careful with the libraries they use in their code.

Check out this how-t0-video to watch the tutorial and follow along with the steps below.

Installing via CLI Version

For this guide, I will be installing OWASP Dependency Checker in Ubuntu and using it to scan a Node.JS project. Before proceeding, ensure that you have java installed and running. You can confirm if your java installation is working using JAVA –HELP command

With that, here is the step by step process of installing OWASP Dependency Check:

  1. Download the OWASP Dependency Check from the OWASP Website. Since we intend to deploy this SCA tool on a command line, we will download the CLI Version. This archive contains the files for Linux terminal and a windows command line.

2. The next step is to extract the files using the unzip command since we are on a Linux based terminal.

3. The bin folder contains the dependency-check.sh for the Linux terminal and dependency-check.bat for Windows command prompt.

4. You can test if you installation is working correctly by running the ./dependency-check.sh command. It should give a list of arguments that can be used with the tool.

Installing via Brew

If you are using a mac, you can install OWASP Dependency-Check by using the brew command.

brew update && brew install dependency-check

Scanning Node JS Code

Before I proceed to scan the code, here are three basic arguments used with the OWASP Dependency-Check.

1. --project <name> -  Allows you to name the project you are scanning

2. --scan <path> – This indicates the file or the folder that is to be scanned

3. --out <path>  – This is the path where the dependency checker will save the results

To scan some source code, run the dependency-check supplying it the project name, the files to scan and the path to the output location as shown;

cd /your_code_project_folder

dependency-check/6.2.0/bin/dependency-check --out . --scan .

For this project scan, we are using sample NodeJS code from the HacWare Cybersecurity API.  This project is simple and only depends on the "axios" package.  This is the output from the scan.

Command Line Output
Dependency-Check Report Website

If you are running the scan for the first time, it will take some time to download and configure CVE details / Subsequent scans will be faster and can be performed without an active internet connection.

Interpreting the Output

Once the scan is complete you can review the output that is printed out on the command line and the analyzer provides a report titled "dependency-check-report.html".  In the dependency-check-report, it provides a summary of its findings and a detailed report of each vulnerability and the severity rating.

Sample Failure Report

Each vulnerability explains where the file is found in your project, and the publicly disclosed problem with the vulnerability.  The report shows the Common Vulnerability Scoring (CVS) Score to help developers prioritize responses and resources to threats.

Automating Dependency Check Scans

This tool can be run through command line interface as an Ant task or through plugins with Gradle, Maven or Jenkins. It does not offer any inbuilt automation but if required, an automation add on may be added.

Final Thoughts

It is important for software developers to find efficient ways implement secure coding practices to build resilient applications and tools. The OWASP Dependency-Check tool shows you if to spot vulnerabilities in your dependent code and make decisions at development time to upgrade to a patched version or find alternative route to meeting the project requirements.

Want to Learn More about our Cybersecurity API?

HacWare makes it stupid easy for software developers to launch next generation cybersecurity education programs to combat phishing attacks with a few lines of code.  To learn more about our powerful security awareness API and developer program, click here to apply .

References

https://github.com/jeremylong/DependencyCheck
https://hacware.com/dev