[Owasp_dependency_track_project] how to specify a jar in Dtrack to know whether it is vulnerable.
Anuj Jain
ajain at sciquest.com
Tue Mar 29 13:38:42 UTC 2016
Hi,
I am trying to determine vulnerabilities in a bunch of open source jars and thought Dtrack would be a good tool (if anyone else has any other suggestions let me know; the requirement is that we have a spreadsheet with a bunch of jar names, so maven etc. is not an option) .
I have downloaded OWASP Dependency-Track war (dtrack.war) and have been able to get it up and running on Tomcat (it also created a C:\Users\myself\dependency-track dir).
I can login into the web interface http://localhost:8080/dtrack/libraries but after that I am lost. I have not been able to find documentation on where/how to specify a library for which the tool can tell me whether it has known vulnerabilities.
I was hoping to add the following information and more (either manually or a csv to upload these into the web app) and let the dtrack tell me whether there are any known vulnerabilities.
StAX API
stax-api.jar
1.0.1
Apache 2.0
http://www.apache.org/licenses/LICENSE-2.0
http://stax.codehaus.org/
XMLBeans
xbean.jar
2.6
Apache 2.0
http://www.apache.org/licenses/LICENSE-2.0
http://xmlbeans.apache.org/
jXLS
jxls-core.jar
1.0.6
LGPL 3.0
http://jxls.sourceforge.net/license.html
http://jxls.sourceforge.net/
Apache Commons BeanUtils
commons-beanutils.jar
1.8.2
Apache 2.0
http://www.apache.org/licenses/LICENSE-2.0
http://commons.apache.org/beanutils/
Apache Commons Digester
commons-digester.jar
2.1
Apache 2.0
http://www.apache.org/licenses/LICENSE-2.0
http://commons.apache.org/digester/
I tried searching for keywords, vendors etc. but none of the drop-downs is populated or returns any results. For example If I do a keyword search on apache (under the Search tab), I was expecting Apache related results but it does not return any.
It is rather urgent and I would appreciate any pointers.
Thanks,
AJ
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_dependency_track_project/attachments/20160329/d1fa4dce/attachment.html>
More information about the Owasp_dependency_track_project
mailing list