OWASP Dependency-Check
OWASP Dependency-Check is a tool that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. It can be used in various software development contexts to enhance the security of applications by identifying and alerting developers about vulnerable components that may be included in their projects.
Here are some key points about OWASP Dependency-Check:
- Identification of Vulnerabilities: Dependency-Check uses a combination of public and private vulnerability databases to identify known vulnerabilities in project dependencies. It supports various programming languages and package managers.
- Integration with Build Tools: It can be integrated into the build process of a project, making it easier for developers to regularly check for vulnerabilities as part of their development workflow. Common build tools such as Maven, Gradle, Ant, and others are supported.
- Wide Language and Ecosystem Support: OWASP Dependency-Check supports multiple programming languages and ecosystems, including Java, .NET, Node.js, Ruby, Python, and more. This makes it versatile and applicable to a wide range of projects.
- Command-Line and CI/CD Integration: It can be used from the command line, making it suitable for use in continuous integration/continuous deployment (CI/CD) pipelines. This ensures that vulnerability checks are performed automatically as part of the development and deployment process.
- Report Generation: Dependency-Check can generate reports in various formats, including HTML, XML, JSON, and CSV. These reports provide detailed information about the identified vulnerabilities, allowing developers and security teams to take appropriate action.
- Active Community: Being an OWASP project, Dependency-Check benefits from an active and collaborative community. This means that updates, improvements, and new features are likely to be developed and shared by the community.
- Integration with Other Security Tools: It can be used in conjunction with other security tools to provide a comprehensive security analysis of a project.
Integrate OWASP Dependency Check In Jenkins Pipeline
The first step is to go to the Jenkins dashboard, select Manage Jenkins->Manage Plugins option, and install the OWASP Dependency-Check Plugin.
Install Dependency-Check Plugin
The second step is to install the dependency-check tool from the Jenkins Global Tool Configuration under the System Configuration. In the Jenkins dashboard, select Manage Jenkins->Global Tool Configuration option, and scroll down to the last you will find the Dependency Check Installation block.
Click on Add Dependency Check and enter the name for the installation tool e.g. ( OWASP Dependency-Check Vulnerabilities ) make sure to give a relevant name.
Check the Install automatically box and select the Add Installer then click on the Dependency-check from the dropdown menu and select the version. Then, click on Apply & Save.
Dependency-Check Installer
After adding the OWASP Dependency-Check Plugin and Dependency-Check Installer in Jenkins. Edit your Jenkins Pipeline and add the below stage. Make sure the odcInstallation value should be the same as you have entered in the Jenkins Dependency-Check Installation in our case it is “OWASP Dependency-Check Vulnerabilities”.
Add the below stage to your Jenkins pipeline and then, start the build.
stage('OWASP Dependency-Check Vulnerabilities') {
steps {
dependencyCheck additionalArguments: '''
-o './'
-s './'
-f 'ALL'
--prettyPrint''', odcInstallation: 'OWASP Dependency-Check Vulnerabilities'
dependencyCheckPublisher pattern: 'dependency-check-report.xml'
}
}
After the build got succeeded, go inside the build to check the Dependency-Check report and select the Dependency-Check on the left side menu you will see the HTML report on the console based on the severity level.
Dependency-Check Results
Finally, we have successfully integrated the Dependency-Check tool into our Jenkins Pipeline.
===============================================================
The above information is up to my understanding. Suggestions are always welcome.
Thank you.
Sudheer Baraker