By name: owasp-scan
description: OWASP dependency vulnerability scan - Use OWASP Dependency-Check to detect known CVE vulnerabilities in project dependencies
OWASP Security Scan Skill
๐ Overview
Use OWASP Dependency-Check to scan project dependencies, detecting:
๐ Known CVE vulnerabilities
๐ NVD database comparison
๐ Compliance report generation
๐จ High-risk vulnerability alerts
๐ง Prerequisites
| Tool | Min Version | Installation |
|------|-------------|--------------|
| Java | 11+ | adoptium.net |
| OWASP Dependency-Check | 12.0+ | Download CLI |
Optional: Apply for NVD API Key to speed up scanning
๐ Usage
Scan current project:
.\.agent\skills\owasp-scan\scripts\scan.ps1
Specify scan directory:
.\.agent\skills\owasp-scan\scripts\scan.ps1 -Path .\src
Use NVD API Key:
$env:NVD_API_KEY = "your-api-key"
.\.agent\skills\owasp-scan\scripts\scan.ps1
Generate HTML report:
.\.agent\skills\owasp-scan\scripts\scan.ps1 -Format html
๐ฏ Detection Scope
Supported Languages/Tools
โ Python (pip, pipenv, poetry)
โ JavaScript/TypeScript (npm, yarn, pnpm)
โ Java (Maven, Gradle)
โ .NET (NuGet)
โ Ruby (Bundler)
โ Go (go.mod)
โ PHP (Composer)
Scan Content
CVE vulnerability IDs
CVSS scores (2.0 / 3.x)
Affected version ranges
Recommended fix versions
๐ Output Example
๐ OWASP Dependency-Check - Scanning project dependencies...
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ฆ Dependencies found: 45
๐ Scanning vulnerability database...
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CRITICAL (CVSS 9.8)
Package: requests@2.25.0
CVE: CVE-2023-32681
Description: Unintended leak of Proxy-Authorization header
Recommendation: Upgrade to requests >= 2.31.0
โ ๏ธ HIGH (CVSS 7.5)
Package: django@3.2.0
CVE: CVE-2023-31047
Description: Potential denial-of-service in file uploads
Recommendation: Upgrade to django >= 3.2.19
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ Scan Results:
โ Critical: 1
โ ๏ธ High: 1
โ ๏ธ Medium: 3
๐ก Low: 2
๐ Detailed report: ./dependency-check-report.html
โ๏ธ Configuration
Create dependency-check.properties:
# NVD API Key
nvd.api.key=${NVD_API_KEY}
# Suppress false positives
suppression.file=./dependency-suppression.xml
# Scan timeout (seconds)
connection.timeout=30
# Only report specific severity levels
failBuildOnCVSS=7.0
# Project name
project=MyProject
Create false positive suppression file dependency-suppression.xml:
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<!-- Suppress specific CVE -->
<suppress>
<notes>False positive - not using vulnerable functionality</notes>
<cve>CVE-2023-12345</cve>
</suppress>
<!-- Suppress specific package -->
<suppress>
<notes>Dev dependency only</notes>
<gav regex="true">^org\.example:test-utils:.*$</gav>
</suppress>
</suppressions>
๐ CI/CD Integration
GitHub Actions
name: OWASP Dependency Check
on: [push, pull_request]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run OWASP Dependency-Check
uses: dependency-check/Dependency-Check_Action@main
with:
project: 'MyProject'
path: '.'
format: 'HTML'
env:
NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
- name: Upload Report
uses: actions/upload-artifact@v4
with:
name: dependency-check-report
path: dependency-check-report.html
๐ FAQ
Q: Is NVD API Key required?
A: Not required but strongly recommended. Without API Key, updates are slow (<10 req/min)
Q: How to handle false positives?
A: Use dependency-suppression.xml file to suppress false positives
Q: Scan is slow, what can I do?
A: 1) Use NVD API Key 2) Cache NVD database 3) Incremental scan
Q: Does it support private repositories?
A: Yes, but private library vulnerability info needs to be public in NVD