【安全测试】OWASP dependency check命令行使用过程中的问题

owasp 需要的外网访问权限包括：
https://nvd.nist.gov
https://search.maven.org/
https://ossindex.sonatype.org/
https://retirejs.github.io
https://github.com/advisories
https://registry.npmjs.org
https://www.npmjs.com

 

sh dependency-check.sh --help

--advancedHelp Print the advanced help message.
--enableExperimental Enables the experimental analyzers.
--exclude <pattern> Specify an exclusion pattern. This option can be specified multiple times and it accepts Ant style exclusions.
-f,--format <format> The report format (HTML, XML, CSV, JSON,JUNIT, SARIF, or ALL). The default is HTML. Multiple format parameters can be specified.
--failOnCVSS <score> Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11; since the CVSS scores are 0-10, by default the build will never fail.
-h,--help Print this message.
--junitFailOnCVSS <score> Specifies the CVSS score that is considered a failure when generating the junit report. The default is 0.
-l,--log <file> The file path to write verbose logging information.
-n,--noupdate Disables the automatic updating of the CPE data.
-o,--out <path> The folder to write reports to. This defaults to the current directory. It is possible to set this to a specific file name if the format argument is not set to ALL.
--prettyPrint When specified the JSON and XML report formats will be pretty printed.
--project <name> The name of the project being scanned.
-s,--scan <path> The path to scan - this option can be specified multiple times. Ant style paths are supported (e.g. 'path/**/*.jar'); if using Ant style paths it is highly recommended to quote the argument value.
--suppression <file> The file path to the suppression XML file. This can be specified more then once to utilize multiple suppression files
-v,--version Print the version information.

 

使用过程中的Troubleshooting

问题1：.NET Assembly Analyzer could not be initialized and at least one 'exe' or 'dll' was scanned. The 'dotnet' executable could not be found on the path; either disable the Assembly Analyzer or add the path to dotnet core in the configuration.
问题原因：无法初始化.NET程序集分析器，至少扫描了一个“exe”或“dll”，在路径上找不到“dotnet”可执行文件；禁用程序集分析器或在配置中添加指向dotnet core的路径。

问题2：Unable to download meta file: https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.meta
原因：漏洞库加载慢或加载失败，访问受限
解决方法：给对应地址的访问权限，或者本地搭建漏洞库

问题3：An error occurred while analyzing '/data/appdeploy/jenkins/workspace/MPC_TEST_GROUP/OWASP_Dependency-Check_FT/code/databoard-web/package-lock.json' (Node Audit Analyzer).
原因：无法访问https://registry.npmjs.org/-/npm/v1/security/audits
解决方法：提供路径访问权限，或者在jenkins的构建参数种加上-DnodeAuditAnalyzerEnabled=false，屏蔽掉这类检查

问题4：org.owasp.dependencycheck.analyzer.exception.AnalysisException: Could not connect to Central search. Analysis failed.
原因：无法访问maven地址https://search.maven.org
解决方法：开通地址访问权限即可，参考https://issues.jenkins.io/browse/JENKINS-47991

 

 

问题5：An error occurred while analyzing '/data/appdeploy/jenkins/workspace/MPC_TEST_GROUP/OWASP_Dependency-Check_FT/code/databoard-web/.eslintrc.js' (Sonatype OSS Index Analyzer).
Failed to request component-reports
原因：无法访问地址https://ossindex.sonatype.org
解决方法：开通访问权限即可，或者在构建参数中加上--disableOssIndex屏蔽掉这类检查

问题6：No lock file exists - this will result in false negatives; please run `npm install --package-lock`
Analyzing `/data/appdeploy/jenkins/workspace/MPC_TEST_GROUP/OWASP_Dependency-Check_FT/code/databoard-web/package.json` - however, the node_modules directory does not exist. Please run `npm install` prior to running dependency-check
原因：需要安装package-lock
解决方法： 在jenkins服务器上执行npm install --package-lock

问题7：node module fsevents seems optional and not installed
原因：fsevent是mac osx系统的，你是在win或者Linux下使用了 所以会有警告，忽略即可