Lots of vulnerabilities in applications are closely related to outdated third-party components.
And the best mitigation for such types of vulnerabilities is the implementing components version control. And here it is – OWASP Dependency Checker. This tool can be easily used if you are the only developer of the application and build your application on your own computer or if you’re going to embed this control into CI/CD pipeline.
Setting up OWASP Dependency Checker
The first of all we have to add it as a plugin in gradle.build file:
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath 'org.owasp:dependency-check-gradle:6.1.5'
}
}
apply plugin: 'org.owasp.dependencycheck'After that we need to Sync our gradle by clicking “Sync now” here:
And that’s it. The plugin ready for work. We can launch the plugin from the graddle menu:
And as a result, we will get a list of vulnerable or message that all components are up-to-date (if they are):
> Task :dependencyCheckAnalyze
Verifying dependencies for project ...
Checking for updates and analyzing dependencies for vulnerabilities
Generating report for project ...
Found 0 vulnerabilities in project ...