I think here is the easiest site to understand. As described on the same site, a library with a known vulnerability for a module It is a tool to check if you are using it.
Originally a tool for Java apps and .NET apps, it is now supporting the following as a prototype.
OS:CentOS 7.7 OWASP dependency checkļ¼5.3.0
I used the CLI version, but according to the Manual When I specified the Proxy server, Proxy port, and Proxy authentication information as arguments and executed it, I got disjointed and Exception. .. .. I found the following familiar error message in it.
Caused by: java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required"
End. .. .. When Proxy Authenticatio Required appears even though Proxy information is specified. .. ..
# Cause
The cause was that from Java 8 Update 111, the default setting was to not use Basic authentication for tunneling when connecting to HTTPS in the java.net package.
#### **`Reference URL: https://www.oracle.com/technetwork/java/javase/8u111-relnotes-3124969.html`**
However, there is a solution, and the following options should be added when Java is executed.
-Djdk.http.auth.tunneling.disabledSchemes=""
# Solution
I know the solution, but I don't know how to apply it as an OWASP tool.
The CLI version of the OWASP dependency check was a shell script, so if you take a peek inside,
It turned out that an environment variable called JAVA_OPTS was given as a run-time parameter.
# Conclusion
It can be executed as follows.
export JAVA_OPTS="${JAVA_OPTS} -Djdk.http.auth.tunneling.disabledSchemes=""" dependency-check.sh --project [project name]--scan [Scan target directory path]--proxyserver [proxy server name]--proxyport [proxy port]--proxypass [proxy authentication password]--proxyuser [proxy authentication ID]