Automation dependency scans
Automating depency scans using Dependency Check & CycloneDX. CycloneDX: Helps creation of BOM or bill of materials for a software project. This greatly helps organisations or individuals to actually perform software exchanges. Alternately, This bill of materials can be acquired from a different organisation to examine for Open-Source Licenses and vulnerabilities. Dependency-Track supports use of SPDX as a bill of materials alongside the cycloneDX schema 1.0 making acceptability or cross-organisation transport of software material information much more easy. Purl is simply put a common medium to translate dependencies from various software programming languages. The representation is machine as well as human friendly making life of software reviewers and acquires easier. CPE refers to a product and a specific version in a URI Schema. CVE refers to a vulnerability number with score and other details about what in a software component is insecure. CWE refers to a pattern amongst a classification of patterns that deem a specific code section to introduce security weakness. Exploit: Code or input or configuration that can take advantage of a CWE (Weakness). When publicly notified for a CPE (Product with version) it is assigned with a CVE for identification. Intent: When done right in the below steps, it gives a person or group or an organisation the ability to understand a specific software project by software weakness as well as the ability to share the information in a format that can be shared easily or reproduce similar outcomes. 1. Generate BOM (Bill of Materials) - Pre-Build 2. Examine BOM - Post build Why should I care about software dependencies that have security weakness? OWASP has a wonderful page dedicated on this topic at https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities CWE: https://nvd.nist.gov/vuln/categories CPE: https://nvd.nist.gov/products/cpe CVE: https://cve.mitre.org/ SPDX: https://spdx.org CycloneDX: https://cyclonedx.org/ Purl (Package URL) https://github.com/package-url/purl-spec Lastly and most importantly: Dependency-Track https://dependencytrack.org/ https://www.owasp.org/index.php/OWASP_Dependency_Track_Project
