Developer's Corner
Posts Tags
Developer's Corner

Contents

Monitor security risks of dependencies into Java project

Check vulnerabilities by using OWASP dependency check

   780 words   4 minutes 

Nowadays, a big part if not the major of an application code comes from dependencies (most often open source). Open source components as others can be subject to vulnerabilities. Once a dependency is added into a project, informations related to this dependency are not always monitored (new version, detected vulnerabilities and so on). In order to provides the most robust and secure application, it will be benefit to track risks related to these dependencies.

The OWASP Dependency Check is an utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. The tool is suitable to analysis dependencies of your Java project and can be easily integrated into your build process since it support Ant, Gradle, Maven and Jenkins. You can also uses it from command line. Nevertheless, best results will be obtain by integrating it into your build process, particularly if dependencies are downloaded because with command line, they will be not downloaded (you need to specify jar files to analyze).

To understand how OWASP Dependency Check works, I use a sample project written in Java and builds with gradle. This projet uses the following dependencies:

1
2
3
4
5

dependencies {
    compile 'com.squareup.okhttp3:okhttp:3.1.1'
    compile 'org.apache.logging.log4j:log4j-core:2.8.1'
    compile 'com.google.guava:guava:23.6.1-jre'
}

OWASP dependency check gradle plugin

To get the most precise results, the best is to use the Gradle plugin of OWASP Dependency Check. Enable the plugin by adding the following lines into your build.gradle:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'org.owasp:dependency-check-gradle:4.0.1'
    }
}

apply plugin: 'org.owasp.dependencycheck'

Then check dependencies with the following command line:

1

./gradlew dependencyCheckAnalyze

From the sample project, the OWASP Dependency Check tool found 4 vulnerabilities as show into the below screenshots. The report also provide a detailed description of detected problems with a link to the CVE(Common Vulnerabilities and Exposures) from the NVD(National Vulnerabilities Database) website

/post/2018/12/dependencies-check/img/dependency-check-result.png /post/2018/12/dependencies-check/img/vulnerabilities-details.png

OWASP dependency check jenkins plugin

OWASP Dependency Check tool can also be integrated into Jenkins, one of the leading open-source automation servers. Use it through docker with the following command line:

1

docker run --name jenkins -d -v jenkins_home:/var/jenkins_home -p 8080:8080 -p 50000:50000 jenkins/jenkins:lts

If your Jenkins installation is in french and that you prefer to have it in english, install the Locale plugin, then go to Administrer Jenkins/Configurer le système, then into the Locale section and sets default language to en_us and check the box Ignore browser preference and force this language to all users

Create a new Freestyle job project that will build your sample project. In the Source Code Mangement section, set the git repository url of your sample project and specify the branch that you want to checkout, then trigger a manual build to check that all is correct.

Now install the OWASP Dependency Check plugin by going to Manage Jenkins/Manage Plugins, into available plugins select OWASP Dependency-Check and install it without restart.

In order to add dependency check analysis into your build job, go to the project and select Configure, into the Build section, add a build step that will invoke gradle script and set the tasks to dependencyCheckAnalyze. To finish, into the Post-build Actions, add a step to publish dependency check result and keep the default configuration. Results will be published by using the generated XML report.

❗ Do not forget to configure the tool to generate the XML report by adding the following line into your build.gradle

1
2
3

dependencyCheck {
    format='XML'
}

Once results are published, Jenkins provides you with a detailed results as well as vulnerabilities trend graph allowing you to quickly known the risk states of your project.

/post/2018/12/dependencies-check/img/dependency-check-results-jenkins.png /post/2018/12/dependencies-check/img/vulnerabilities-trend.png

OWASP dependency check gradle plugin tasks

As saw previously, the Gradle task named dependencyCheckAnalyze allows to analyze your project. The first time, that your project is analyzed, the plugin needs to download and process the database of vulnerabilities from the NVD website. This step can be quite long, dependending on your internet connexion, your computer and so on.

If the time to update the database becomes a problem, one way to fix it, is to update your build.gradle to realize only the analysis without updating the database by setting autoUpdate=false and by setting the data directory to hold SQL CVEs contents with the following configuration:

1
2
3
4
5

dependencyCheck {
    data {
        directory='path to the data directory that hold CVE content'
    }
}

With this configuration, it is your reponsibility to maintain and update the database of vulnerabilities. It can be done by using a script or another jenkins job that can be periodically executed to update your NVD data. To accomplish the update, there is a Gradle task named dependencyCheckUpdate.

Updated on 2018-12-13
Read Markdown
 Software Composition AnalysisOpen SourceCode QualitySecurity
Back | Home