OWASP dependency check and authentication proxy and me

What is the OWASP dependency check?

I think here is the easiest site to understand. As described on the same site, a library with a known vulnerability for a module It is a tool to check if you are using it.

Originally a tool for Java apps and .NET apps, it is now supporting the following as a prototype.

Execution environment

OS:CentOS 7.7 OWASP dependency checkļ¼š5.3.0

phenomenon

I used the CLI version, but according to the Manual When I specified the Proxy server, Proxy port, and Proxy authentication information as arguments and executed it, I got disjointed and Exception. .. .. I found the following familiar error message in it.

Caused by: java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required"


 End. .. .. When Proxy Authenticatio Required appears even though Proxy information is specified. .. ..

# Cause
 The cause was that from Java 8 Update 111, the default setting was to not use Basic authentication for tunneling when connecting to HTTPS in the java.net package.

#### **`Reference URL: https://www.oracle.com/technetwork/java/javase/8u111-relnotes-3124969.html`**

However, there is a solution, and the following options should be added when Java is executed.

-Djdk.http.auth.tunneling.disabledSchemes=""



# Solution
 I know the solution, but I don't know how to apply it as an OWASP tool.
 The CLI version of the OWASP dependency check was a shell script, so if you take a peek inside,
 It turned out that an environment variable called JAVA_OPTS was given as a run-time parameter.

# Conclusion
 It can be executed as follows.

export JAVA_OPTS="${JAVA_OPTS} -Djdk.http.auth.tunneling.disabledSchemes=""" dependency-check.sh --project [project name]--scan [Scan target directory path]--proxyserver [proxy server name]--proxyport [proxy port]--proxypass [proxy authentication password]--proxyuser [proxy authentication ID]



Recommended Posts

OWASP dependency check and authentication proxy and me
[Maven] Disable .Net-based Assembly Analyzer with OWASP Dependency Check [Java]