DepSec - Automated Software Dependency Security Analysis Tool (DependencyCheck Wrapper)
The DepSec project is a Automated Software Dependency Security Analysis tool, the tool's core functionality is completely based on the DependencyCheck project. The DepSec application contains additional features and also it's developed to automate the dependency security analysis process using crons.
Main Functions and Features:
DepSecinstallation withDependencyCheck.DepSecconfiguration file generation.- Automated dependency installation for the project. (
npm,yarnandcomposer) - System packages and
DependencyCheckUpdate. - Scan and generate a report using
DependencyCheck. - Automatically email the report.
- ..and more
This project is completely based on the DependencyCheck project and depsec is a simple wrapper over the DependencyCheck application to automate it's process and it also include some additional features.
DependencyCheck : https://github.com/jeremylong/DependencyCheck
This project was originally developed for a specific purpose, but due to unforeseen circumstances, it is no longer required. As a result, I’m sharing it with the community in the hope that it proves useful. Contributions to this project are welcome and appreciated. Thank you for your support!
You can execute the following to install the depsec on your system.
git clone https://github.com/rvizx/depsec
cd depsec
chmod +x depsec.sh
./depsec.sh --install Note: Currently the installation is configured only for debian based systems, depsec still can be used by installing followings manually based on your operating system.
The following set of dependencies will be installed before the DependencyCheck installation. Currently the installation is configured only for debian based systems.
Note: depsec still can be used by installing followings manually based on your operating system.
git wget unzip curl maven nodejs npm composer yarn
Note: The current pre-requisites are configured based on the specific project depsec was initially planned to execute therefore it might not contain all the dependencies that might required by some other projects.
This will automatically download the latest version of the DependencyCheck compiled version and it will setup the binary in the ~/.local/share/dependency-check/ directory.
exact location of the DependencyCheck binary would be:
~/.local/share/dependency-check/bin/./dependency-check.sh
- Get a
NVDAPI key from here - https://nvd.nist.gov/developers/request-an-api-key - Create a
MailTrapAccount and get theMailTrapAPI key - https://mailtrap.io/
Note: depsec is expected to be executed on a bash environment. (Mainly because it's configurations are based on the environment varialbes set through this. You can manually configure if you're using another environment)
./depsec.sh --configthe application will ask for you to add above mentioned api-keys it's format should be as follows
| NVD API Key | MAILTRAP API Key |
|---|---|
| c3XXXXX-XXXX-XXXX-XXXX-XXXXXXXXXp0 | api:9aXXXXXXXXXXXXXXXXXXXXXXXXXX9 |
crontab -e For the automation, it's necessary to setup a cron job in the system.
* * * * * /path/to/depsec.sh --scan
- - - - -
| | | | |
| | | | +----- Day of week (0 - 7) (Sunday is both 0 and 7)
| | | +------- Month (1 - 12)
| | +--------- Day of month (1 - 31)
| +----------- Hour (0 - 23)
+------------- Minute (0 - 59)
Example: To set up a cron job to execute every Monday at 9:30 AM
30 9 * * 1 /path/to/depsec.sh --scan
./depsec.sh --scanThe above command can be executed to scan the project folder. This will execute the DependencyCheck on the specified project folder during the depsec --configure . After that the report will be generated at the /tmp directory as the depsec-report.html. Later it will be compressed to a .zip file for emailing purposes. After that process the report and the compressed folder will be deleted from the /tmp directory for security reasons.
If you want to change the project-folder that's need to scan, you can either execute the --config again (not recommended). The following is the recommended way of reconfiguration.
- Upadte the
.envfile'sDEPSEC_PROJECTconfig.
cd /path/to/depsec/
nano .env edit the line with DEPSEC_PROJECT and configure a new project folder
DEPSEC_PROJECT="/opt/new-project"./depsec.sh --update The above command can be executed to update the depsec, this will basically update the system dependencies that were previously installed as pre-requisites and also this will update the DependencyCheck binary to the latest version.
./depsec --uninstall By executing the above command it's possible to remove depsec from your system. This will remove the DependencyChek binary downloaded to the ~/.local/share/dependency-check/ location and this will also remove the cloned depsec directory including the .env
