Wednesday, October 18, 2017

OWASP Dependency Check maven plugin

https://blog.lanyonm.org/articles/2015/12/22/continuous-security-owasp-java-vulnerability-check.html


https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html


https://www.owasp.org/index.php/OWASP_Dependency_Check


https://nvd.nist.gov/vuln/data-feeds


just run

mvn dependency-check:check

and you get a great report with all the vulnerabilities in your dependencies.... fantastic! Even a Jenkins plugin is available, so you don't need to modify all your poms.


To install it as Jenkins Plugin, install these plugins:

http://updates.jenkins-ci.org/latest/dependency-check-jenkins-plugin.hpi
https://updates.jenkins.io/latest/token-macro.hpi
https://updates.jenkins.io/latest/analysis-core.hpi
https://updates.jenkins.io/latest/dashboard-view.hpi
https://updates.jenkins.io/latest/maven-plugin.hpi
http://updates.jenkins-ci.org/latest/apache-httpcomponents-client-4-api.hpi
http://updates.jenkins-ci.org/latest/javadoc.hpi
http://updates.jenkins-ci.org/latest/jsch.hpi


Interesting post on how to configure a separate jenkins task just to update the NIST repos in a common folder https://medium.com/@PrakhashS/checking-vulnerabilities-in-3rd-party-dependencies-using-owasp-dependency-check-plugin-in-jenkins-bedfe8de6ba8 to avoid checking for updates at every build.

A similar post goes here https://blog.dominikschadow.de/2015/07/using-owasp-dependency-check-as-jenkins-plugin/


A good test is to run it against the WebGoat https://github.com/WebGoat/WebGoat but the repo is heavy and you need a good internet connection


Here https://jeremylong.github.io/DependencyCheck/general/dependency-check.pdf a presentation of the plugin by Jeremy Long (OWASP)





No comments: