Devsecops is the buzz lightyear in cyber space today. As a part of that journey, I would like to explain the integration of OWASP Dependency check with Jenkins to CI/CD pipeline (Very simple implementation yet thought this post might be helpful).
Before jumping into the integration, a quick brief on OWASP Dependency check and Jenkins.
OWASP Dependency Check:
OWASP dependency-check is an open source solution the OWASP Top 10 2013 entry: A9 — Using Components with Known Vulnerabilities. Dependency-check can be used to scan Java and .NET applications to identify the known vulnerable components.
Explore at : https://jeremylong.github.io/DependencyCheck/
Jenkins:
Jenkins is a self-contained, open source automation server which can be used to automate all sorts of tasks related to building, testing, and delivering or deploying software.
Explore at: https://jenkins.io/
Integrating Dependency check with Jenkins:
Assumption: Jenkins is up and running & proxy if required should be configured in jenkins (Manage Jenkins -> Manage Plugins -> Advanced)
Step 1: Download the OWASP-dependency-check plugin from plugin manager (Manage Jenkins -> Manage Plugins -> Available)
Step 2: Even though restart is not mandatory , it is recommended to restart. Once download is done, check on restart jenkins. If restart doesn’t start properly, then navigate to http://localhost:8080/restart to restart jenkins manually.
Step 3: Post successful installation and jenkins service restart, navigate to Global tools configuration (Manage Jenkins -> Global Tools Configuration) to configure dependency check.
Click on ‘Add Dependency Check’ and provide name to convenience. The version by default will point to the latest release.
Note: If installation is not done properly, then the URL to download archive can be provided using ‘Extract *.zip/*.tar.gz’ option from Add installer dropdown.
From here, the dependency check can be directly invoked in a project or a pipeline script can be used to invoke it.
Method 1:
Step 4: Time to add dependency check to any existing or new project. In demo, I have used bwapp application’s source code.
In the build option, select ‘Invoke dependency-check’ from Add-build step.
Step 5: Provide the arguments to perform the dependency checker. For demo purpose i have configured the scan to be basic. More options can be explored at: https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html
Step 6: Build the project now and if it’s the first time, then Dependency checker will reach out to NVD CVE data hosted by NIST and Retire JS repo to fetch updated data. Once the database is build locally with the downloaded data, dependency analysis will be performed.
If internet access is restricted, refer the below space to figure out the workaround.
https://jeremylong.github.io/DependencyCheck/data/index.html
Step 7: Post analysis, navigate to workspace folder to access the scan report from UI.
Method 2:
The dependency check can be invoked using a pipeline script. The pipeline script functionality can be accessed from the URL : http://localhost:8080/pipeline-syntax/
Select ‘dependecycheck: Invoke dependency check’ from sample step. Provide the scan arguments and click on ‘Generate pipeline script’ to generate the script.
Thanks to OWASP Dependency check, jenkins and BWAPP team.
Hope this content is useful!!! Until next time, Cheers :)
