How to use OWASP Dependency-Check for third party libraries scan

CICD

How to use OWASP Dependency-Check for third party libraries scan

By novicejava1 0
owasp_dependency_check

Here in this article we will be using a sample java spring boot based application and update the project with OWASP dependency-check-gradle plugin which will help us in scanning all the dependent libraries for any vulnerabilities and generate a report.

What is OWASP Dependency-Check

As per OWASP documentation, Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.

If you are interested in watching the video. Here is the YouTube video on the same step by step procedure outlined below.

Procedure

Step1: Request NVD API key

OWASP dependency check tool uses the National Vulnerability Database for the information on the CVE’s related to different software components or entities. This is an optional step to request for an API key to use the NVD database. In case we are not using the API key the rate at which we will be able to download the NVD data would be slow. For this reason its recommended to generate an API key using Request an API Key.

Once you submit the required details you will receive an email with a link to generate your personal API key which need to be secured.

Step2: Create a Java application

Here in this step i am using vscode to generate a sample hello world java application based on the gradle build. The structure of the project is as below.

admin@fedser:gradledepcheck$ tree .
.
├── app
│   ├── build.gradle
│   └── src
│       ├── main
│       │   ├── java
│       │   │   └── gradledepcheck
│       │   │       └── App.java
│       │   └── resources
│       └── test
│           ├── java
│           │   └── gradledepcheck
│           │       └── AppTest.java
│           └── resources
├── gradle
│   └── wrapper
│       ├── gradle-wrapper.jar
│       └── gradle-wrapper.properties
├── gradlew
├── gradlew.bat
└── settings.gradle

Step3: Apply Dependency Check Plugin

In this step we are going to update our build.gradle for the sample project by applying OWASP dependency check plugin as shown below. This plugin provides us with different tasks which will help us in fetching the vulnerability database and also scan projects for any vulnerabilities based on the available data.

admin@fedser:gradledepcheck$ cat app/build.gradle 
/*
 * This file was generated by the Gradle 'init' task.
 *
 * This generated file contains a sample Java application project to get you started.
 * For more details take a look at the 'Building Java & JVM projects' chapter in the Gradle
 * User Manual available at https://docs.gradle.org/8.0.2/userguide/building_java_projects.html
 */

plugins {
    // Apply the application plugin to add support for building a CLI application in Java.
    id 'application'
    id "org.owasp.dependencycheck" version "9.0.9"
}

repositories {
    // Use Maven Central for resolving dependencies.
    mavenCentral()
}


dependencies {
    // Use JUnit Jupiter for testing.
    testImplementation 'org.junit.jupiter:junit-jupiter:5.9.1'

    // This dependency is used by the application.
    implementation 'com.google.guava:guava:31.1-jre'
}

application {
    // Define the main class for the application.
    mainClass = 'gradledepcheck.App'
}

tasks.named('test') {
    // Use JUnit Platform for unit tests.
    useJUnitPlatform()
}

dependencyCheck {
    nvd {
        apiKey='xxxxxxxx'
    }
}

Step4: Analyze Project

Once the plugin is applied we list the tasks that are provided by this plugin as shown below. As you can see it provides us with four different task for our usage.

admin@fedser:gradledepcheck$ ./gradlew tasks
...
OWASP dependency-check tasks
----------------------------
dependencyCheckAggregate - Identifies and reports known vulnerabilities (CVEs) in multi-project dependencies.
dependencyCheckAnalyze - Identifies and reports known vulnerabilities (CVEs) in project dependencies.
dependencyCheckPurge - Purges the local cache of the NVD.
dependencyCheckUpdate - Downloads and stores updates from the NVD CVE data feeds.
...

We will be using the “dependencyCheckAnalyze” task to scan the project to identify any vulnerabilties in the third party libraries that are being used by the project.

admin@fedser:gradledepcheck$ ./gradlew  dependencyCheckAnalyze

> Task :app:dependencyCheckAnalyze
Verifying dependencies for project app
Checking for updates and analyzing dependencies for vulnerabilities
Generating report for project app
Found 2 vulnerabilities in project app


One or more dependencies were identified with known vulnerabilities in app:

guava-31.1-jre.jar (pkg:maven/com.google.guava/guava@31.1-jre, cpe:2.3:a:google:guava:31.1:*:*:*:*:*:*:*) : CVE-2023-2976, CVE-2020-8908


See the dependency-check report for more details.



Region [NODEAUDIT] : Not alive and dispose was called, filename: NODEAUDIT
Region [CENTRAL] : Not alive and dispose was called, filename: CENTRAL
Region [POM] : Not alive and dispose was called, filename: POM

BUILD SUCCESSFUL in 3s
1 actionable task: 1 executed

As you can see from the output, the build analysis has identifies two vulnerabilities in the dependent library jar “guava-31.1-jre.jar” used by the project. This analysis also generates a report for all the vulnerabilities that are identified within the project at the following build output location.

admin@fedser:gradledepcheck$ ls -ltr app/build/reports/
total 232
-rw-r--r--. 1 admin admin  44750 Mar 10 19:26 dependency-check-report.json
-rw-r--r--. 1 admin admin 189929 Mar 10 19:28 dependency-check-report.html

Step5: Break Build

In order to ensure that our build breaks whenever there is a vulnerability of a particular CVSS score is found in our project, we can update the build.gradle as shown below.

Here we are updating the file with “dependencyCheck” configuration to fail the build in case an vulnerability with a CVSS score of 7 or more is found. Also we want to ensure that the generated report in of JSON format. You can find more details about the configuration options at dependency check gradle configuration.

admin@fedser:gradledepcheck$ cat app/build.gradle 
/*
 * This file was generated by the Gradle 'init' task.
 *
 * This generated file contains a sample Java application project to get you started.
 * For more details take a look at the 'Building Java & JVM projects' chapter in the Gradle
 * User Manual available at https://docs.gradle.org/8.0.2/userguide/building_java_projects.html
 */

plugins {
    // Apply the application plugin to add support for building a CLI application in Java.
    id 'application'
    id "org.owasp.dependencycheck" version "9.0.9"
}

repositories {
    // Use Maven Central for resolving dependencies.
    mavenCentral()
}


dependencies {
    // Use JUnit Jupiter for testing.
    testImplementation 'org.junit.jupiter:junit-jupiter:5.9.1'

    // This dependency is used by the application.
    implementation 'com.google.guava:guava:31.1-jre'
}

application {
    // Define the main class for the application.
    mainClass = 'gradledepcheck.App'
}

tasks.named('test') {
    // Use JUnit Platform for unit tests.
    useJUnitPlatform()
}

dependencyCheck {
    failBuildOnCVSS=7
    format='JSON'
    nvd {
        apiKey='xxxxxxxx'
    }
}

Now let us try to run the analysis for our project and see if it breaks our build as per our requirement. If you have a CICD pipeline to build a project the following step can be introduced into the build to ensure that build wont proceed to next when a severity of a particular CVSS score is found in the project.

admin@fedser:gradledepcheck$ ./gradlew  dependencyCheckAnalyze
Region [NODEAUDIT] : Not alive and dispose was called, filename: NODEAUDIT
Region [CENTRAL] : Not alive and dispose was called, filename: CENTRAL
Region [POM] : Not alive and dispose was called, filename: POM

> Task :app:dependencyCheckAnalyze FAILED
Verifying dependencies for project app
Checking for updates and analyzing dependencies for vulnerabilities
Generating report for project app
Found 2 vulnerabilities in project app


One or more dependencies were identified with known vulnerabilities in app:

guava-31.1-jre.jar (pkg:maven/com.google.guava/guava@31.1-jre, cpe:2.3:a:google:guava:31.1:*:*:*:*:*:*:*) : CVE-2023-2976, CVE-2020-8908


See the dependency-check report for more details.



FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':app:dependencyCheckAnalyze'.
> 
  
  Dependency-Analyze Failure:
  One or more dependencies were identified with vulnerabilities that have a CVSS score greater than '7.0': CVE-2023-2976
  See the dependency-check report for more details.
  


* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 2s
1 actionable task: 1 executed

Hope you enjoyed reading this article. Thank you..