Dependency Scanning Tools

2 min read Advanced Security Topics

Dependency Scanning Tools

Identifying vulnerable dependencies is crucial for maintaining application security.

// Android - Dependency vulnerability scanning
class DependencyScanner {
    
    // Integration with OWASP Dependency Check
    fun configureDependencyCheck(project: Project) {
        project.apply(plugin = "org.owasp.dependencycheck")
        
        project.dependencyCheck {
            // Configuration
            analyzers {
                assemblyEnabled = false
                nugetconfEnabled = false
                nodeEnabled = false
            }
            
            // Set vulnerability database
            data {
                directory = "${project.rootDir}/.dependency-check"
                dbDriverName = "org.h2.Driver"
            }
            
            // Formats
            formats = listOf("HTML", "JSON", "JUNIT")
            
            // Fail build on CVSS score
            failBuildOnCVSS = 7.0f
            
            // Suppressions
            suppressionFiles = listOf("${project.rootDir}/dependency-suppressions.xml")
        }
        
        // Custom task for security report
        project.tasks.register("securityDependencyReport") {
            dependsOn("dependencyCheckAnalyze")
            
            doLast {
                val reportFile = File("${project.buildDir}/reports/dependency-check-report.json")
                if (reportFile.exists()) {
                    analyzeReport(reportFile)
                }
            }
        }
    }
    
    private fun analyzeReport(reportFile: File) {
        val report = parseJsonReport(reportFile)
        
        report.dependencies.forEach { dependency ->
            dependency.vulnerabilities.forEach { vulnerability ->
                when (vulnerability.severity) {
                    "CRITICAL", "HIGH" -> {
                        println("⚠️  Critical vulnerability in ${dependency.name}")
                        println("   CVE: ${vulnerability.cve}")
                        println("   CVSS: ${vulnerability.cvssScore}")
                        println("   Description: ${vulnerability.description}")
                    }
                }
            }
        }
    }
    
    // Swift Package Manager security audit
    class SwiftPackageAudit {
        func auditDependencies() throws {
            let process = Process()
            process.executableURL = URL(fileURLWithPath: "/usr/bin/swift")
            process.arguments = ["package", "show-dependencies", "--format", "json"]
            
            let pipe = Pipe()
            process.standardOutput = pipe
            
            try process.run()
            process.waitUntilExit()
            
            let data = pipe.fileHandleForReading.readDataToEndOfFile()
            let dependencies = try JSONDecoder().decode(PackageGraph.self, from: data)
            
            // Check each dependency
            for package in dependencies.packages {
                checkPackageSecurity(package)
            }
        }
        
        private func checkPackageSecurity(_ package: Package) {
            // Check against vulnerability database
            let vulnerabilities = VulnerabilityDatabase.shared.check(
                package: package.name,
                version: package.version
            )
            
            if !vulnerabilities.isEmpty {
                print("⚠️  Vulnerabilities found in \(package.name) \(package.version)")
                vulnerabilities.forEach { vuln in
                    print("   - \(vuln.cve): \(vuln.description)")
                }
            }
        }
    }
}