πŸ” How to Use OWASP Dependency-Check for Android and iOS Projects

When developing mobile apps, it’s crucial to keep third-party dependencies secure. OWASP Dependency-Check is an open-source tool that helps detect known vulnerabilities (CVEs) in software libraries. In this article, we’ll explore how to use it for both Android and iOS projects and integrate it into your CI/CD pipeline like Jenkins.

βœ… What is OWASP Dependency-Check?

OWASP Dependency-Check is a Software Composition Analysis (SCA) tool. It scans your project’s dependencies and checks for known vulnerabilities using data from the National Vulnerability Database (NVD).

🟒 Using OWASP Dependency-Check for Android

Android apps typically use Gradle, which means you can scan .jar and .aar files from your build outputs.

πŸ”§ Step-by-Step Guide

1️⃣ Install Dependency-Check CLI

You can download the latest release from GitHub:
πŸ‘‰ https://github.com/jeremylong/DependencyCheck/releases

If you're on macOS, you can also use Homebrew:

bash
brew install dependency-check

2️⃣ Run a Scan

Use the CLI to scan your Android project directory:

bash
dependency-check --project "MyAndroidApp" \
  --scan /path/to/your/project \
  --format "HTML" \
  --out reports/

πŸ“ Tip: To scan only the *.jar and *.aar files in your build directory:

bash
dependency-check --scan ./app/build/intermediates/ \
  --format HTML \
  --out reports/

3️⃣ Integrate with Jenkins

Add the Dependency-Check command in a Jenkins build step (Shell or Pipeline) and archive the report for visibility.

🍏 Using OWASP Dependency-Check for iOS

iOS projects commonly use:

  • CocoaPods β†’ Podfile.lock

  • Swift Package Manager (SPM) β†’ Package.resolved

  • Carthage β†’ Cartfile.resolved

However, OWASP Dependency-Check doesn't natively support iOS package managers. But don’t worryβ€”there are workarounds!

βœ… Workarounds for iOS

πŸ”Ή Option 1: Manual Dependency Entry

Extract dependency names from Podfile.lock or Package.resolved and manually create a dependency-check.xml file to scan.

πŸ”Ή Option 2: Scan Compiled Frameworks

If you’re using prebuilt .framework or .xcframework files:

bash
dependency-check --project "MyiOSApp" \
  --scan ./Frameworks/ \
  --format "HTML" \
  --out reports/

πŸ”Ή Option 3: Use Alternative Tools

For better iOS support, consider these tools:

  • Snyk: Supports CocoaPods and SPM natively

  • CycloneDX + OWASP Dependency-Track: Generate a Bill of Materials (BOM) and analyze vulnerabilities

πŸ”„ Jenkins Integration (Optional)

Here’s a simple Jenkins shell step:

bash
#!/bin/bash
dependency-check \
  --project "MyMobileApp" \
  --scan "$WORKSPACE/app/build" \
  --format "HTML" \
  --out "$WORKSPACE/reports"

You can archive or email the report after each build.

πŸ“Œ Summary

PlatformUsage with OWASP Dependency-CheckNotes
AndroidScan .jar and .aar files in Gradle outputβœ… Fully supported
iOSManual dependency listing or scan .framework⚠️ Limited native support

🧩 Final Thoughts

OWASP Dependency-Check is a powerful tool for securing your mobile apps during development. While Android support is strong, iOS may require additional steps or alternative tools. Still, integrating security scanning in your CI/CD pipeline is a huge win for your DevSecOps practice!

Comments

Post a Comment

Popular posts from this blog

Your build is currently configured to use incompatible Java 21.0.3 and Gradle 8.2.1. Cannot sync the project.

Image
  Facing issues with Gradle and Java compatibility in Android Studio?  πŸš¨ In my latest video, I walk you through a common error that many Android developers encounter: "Your build is currently configured to use incompatible Java 21.0.3 and Gradle 8.2.1. Cannot sync the project." I’ll show you how to fix the incompatibility issue by configuring  Java 17  for  Gradle 8.2.1 , ensuring smooth synchronization for your Android project. πŸ”§  Step-by-step solution: Identifying the problem Correctly configuring Java 17 for Gradle Syncing your Android project without errors This is an essential fix for any Android developer working with Gradle and Java. If you’re stuck with this error, this tutorial is for you! πŸ“Ί  Watch the full tutorial here :
Read more

Google Assistant Implementation in Android application with app actions

Image
  Process flow to create app action in android native: Step 1) Create action.xml with Built-In Intent and defined in androidmanifest.xml Step 2) Create deep link through firebase dynamic link SDK Step 3) Map the Deeplink with built-in Intent in android action.xml Step 4) Create the application in Playstore Step 5) Upload the signed apk in Playstore as save in draft Step 6) Open the app action testing tool from latest android studio after upload the apk in playstore Step 7) Login the same google account in playstore, android studio and android device Step 8) Make sure the check the same Locale language (en-Us) in Android device and action testing tool   Built-In Intent & Sample Query: actions.intent. OPEN_APP_FEATURE           - Open History in <innovationName>           - Open sale in <innovationName>         ...
Read more