Dependency-Analyzer is built to compare and correlate dependency tree and dependency check reports and thus gain insights into the source of all vulnerable dependencies and the CVEs associated with them. The output is generated such that it gives information about all vulnerable dependencies and pinpoints where exactly it came from in the software/project.
- python3
- dependency check report in
csvorcsv.gzformat. - dependency tree in
.txtformat.
python3 main.py <dependency_tree_file_path> <dependency_check_report_path>
- For maven based projects, the dependency tree can be generated using
mvn dependency:tree [-DoutputFile=output_file.txt] - For npm based projects, the dependency tree can be generated using
npm list >> output_file.txt- By default,
npm listgenerates output with unicode characters. Make sure that the unicode character scheme is set to false so that the text is parsable by python. To do so, usenpm config set unicode false
- By default,
- For sbt based projects, the sbt-dependency-graph plugin can be used to generate dependency tree. Eg:
sbt "dependencyTree::toFile output_file.txt"- Note: using the plugin version >=0.10.0-RC1 allows the tree to be stored in a text file.
- Dependency Check tool can be used to gather security-related information about various dependencies used in a project: https://github.com/jeremylong/DependencyCheck.
- The different langauges supported by the tool for scanning are present here.
The output lists all vulnerable dependencies in a project upon correlating the dependency tree with the dependency check report. For each dependency, the output shows the source of the dependency (snippet of dependency tree), the CVE(s) associated with it, the CVSSv2 and CVSSv3 scores. Also, if a dependency tree is the output of building a large project/software with various sub-projects, the "projects" key in the output shows all those the sub-project(s) that pulls in the particular dependency.
Apache Spark and Apache Druid projects are scanned/built and their corresponding dependency trees and dependency check reports are stored in the examples/ folder.
- A sample output of running Dependency-Analyzer on Druid, is stored at
examples/output.json.