The OWASP Dependency-Check tool is a popular tool in the Software Engineering world. We will discuss how we can run it standalone or integrate it into an existing CI/CD pipeline. We use the Dockerfile and Jenkinsfile for the setup. We also discuss how to integrate the tool into our existing CI and CD Pipeline. We need basic knowledge of how to run Dockerfiles but other than that there's not much required. We'll use the Jenkinsfile to run the dependency-Check on demand and use the experimental mode for Python.
Recap of Part 1
thanks for joining once again. In the last post, I introduced the OWASP Dependency-Check tool briefly and discussed its increasing helpfulness in today's Software Engineering world due to the increasing integration of open source & third-party code.
Summary
Today we will take a look at how we can easily integrate the Dependency-Check into our existing CI/CD Pipeline or how we can create a standalone Dockerfile to run the Dependency-Check on demand.
Tools / Requirements
As for knowledge, it would be nice to have basic knowledge of how to run Dockerfiles but other than that there's not much required.
As for tools we will use:
Docker
Setup
For the Setup, we'll start with the Dockerfile and then discuss how we can run it standalone or integrate it in an existing CI/CD pipeline.
Dockerfile
####################
# FRONTEND DEPENDENCIES
####################
# we install the frontend dependencies to create a node_modules directory
FROM node:14 as frontend_dependencies
COPY path/to/package.json /frontend
WORKDIR /frontend
RUN npm i && npm ci
####################
# INSTALL DEPENDENCY CHECK
####################
# we download the dependency-check zip & unzip it
FROM ubuntu:14.04 as dependency_check_install
RUN apt-get update \
&& apt-get install -y wget unzip \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /app
RUN wget //github.com/jeremylong/DependencyCheck/releases/download/v6.5.2/dependency-check-6.5.2-release.zip \
&& unzip dependency-check-6.5.2-release.zip \
&& rm dependency-check-6.5.2-release.zip
####################
# RUN DEPENDENCY CHECK
####################
# we require a Java image here to run the dependency-check
FROM openjdk:18-alpine as dependency_check
# add yarn for dependency check to run without errors
RUN apk add yarn
# copy dependency-check from the previous stage
COPY --from=dependency_check_install /dependency-check /dependency-check
# copy frontend node modules from the previous stage
COPY --from=frontend_dependencies /frontend/node_modules /frontend/node_modules
# copy backend python files to be checked
COPY path/to/pythoncode/src /backend
# this line is optional. It's only necessary if you wish to run the Dependency-Check standalone
RUN /dependency-check/bin/dependency-check.sh --scan . --out ./report
Dockerfile explanation
As for JS code, we need to initialize the node_modules from the package.json first
As for the Python Backend code, we need to copy the .py files over into the Docker container and use the experimental mode for Python.
By separating these steps into multiple Docker Stages we minimize the final Docker image size by excluding things such as node, wget, and unzip.
Run Dependency-Check
The last line in the Dockerfile that's commented as Optional runs the Dependency-Check. If we want to run the Dependency-Check on-demand outside a Pipeline we have to include this line here. It will scan all files in the directory and generate a report as HTML file.
We can also specify another Output format such as JSON, CSV, ... This may be helpful if we have an automatic Analyser in place that can process JSON or CSV files.
Jenkinsfile
If we want to include this Scan in a CI/CD Pipeline we would do it as follows in a Jenkinsfile example:
We specify the Dockerfile to be run. Don't forget to remove the last optional line in the Dockerfile if you use this approach
Then we specify the command to be executed. The flags --format specify the outut format. The --enableExperimental flag enables python scanning.
Finally we archive the results, so that we can view them later on in Jenkins.
Output
the generated .html will list the vulnerabilities and general information about the scan
Thank you for reading so far! :)
That's it for the little guide. If you have questions or anything is unclear feel free to leave a comment.
Also if you like this article or find it interesting be sure to leave a like or share it with people who might be interested in the topic :) It would help me a lot.