[Owasp_dependency_track_project] how to specify a jar in Dtrack to know whether it is vulnerable.

Anuj Jain ajain at sciquest.com
Tue Mar 29 13:38:42 UTC 2016


Hi,

I am trying to determine vulnerabilities in a bunch of open source jars and thought Dtrack would be a good tool (if anyone else has any other suggestions let me know; the requirement is that we have a spreadsheet with a bunch of jar names, so maven etc. is not an option) .

I have downloaded OWASP Dependency-Track war (dtrack.war) and have been able to get it up and running on Tomcat (it also created a C:\Users\myself\dependency-track dir).


I can login into the web interface http://localhost:8080/dtrack/libraries but after that I am lost.  I have not been able to find documentation on where/how to specify a library for which the tool can tell me whether it has known vulnerabilities.

I was hoping to add the following information and more (either manually or a csv to upload these into the web app) and let the dtrack tell me whether there are any known vulnerabilities.

StAX API

stax-api.jar

1.0.1

Apache 2.0

http://www.apache.org/licenses/LICENSE-2.0

http://stax.codehaus.org/

XMLBeans

xbean.jar

2.6

Apache 2.0

http://www.apache.org/licenses/LICENSE-2.0

http://xmlbeans.apache.org/

jXLS

jxls-core.jar

1.0.6

LGPL 3.0

http://jxls.sourceforge.net/license.html

http://jxls.sourceforge.net/

Apache Commons BeanUtils

commons-beanutils.jar

1.8.2

Apache 2.0

http://www.apache.org/licenses/LICENSE-2.0

http://commons.apache.org/beanutils/

Apache Commons Digester

commons-digester.jar

2.1

Apache 2.0

http://www.apache.org/licenses/LICENSE-2.0

http://commons.apache.org/digester/



I tried searching for keywords, vendors etc. but none of the drop-downs is populated or returns any results.  For example If I do a keyword search on apache (under the Search tab), I was expecting Apache related results but it does not return any.
It is rather urgent and I would appreciate any pointers.
Thanks,
AJ



-- 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_dependency_track_project/attachments/20160329/d1fa4dce/attachment.html>


More information about the Owasp_dependency_track_project mailing list