We will cover the necessary steps to integrate your application pipeline with automated OWASP Dependency-Check.
Dependency-Check can be used to scan applications (and their dependent libraries) to identify any known vulnerable components.
“Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.”
How It Works
Dependency-Check works by collecting evidence information. Dependency-Check collects vendor, product, and version. It matches this information against the Common Vulnerabilities and Exposures (CVE) in the - National Vulnerability Database (NVD) to determine if there are any known vulnerabilities and exposures in your software components.
Supported Analyzers
Go here for an up-to-date list of supported analyzers.
Sample Report
Go here to view a sample OWASP Dependency-Check report.
Azure DevOps Agent Configuration
This section covers the installation process for OWASP Dependency-Check. This section assume the Azure DevOps agent is already installed and configured. This is briefly covered in another post here.
Create Folder and Assign Permissions
If it doesn’t exist, create a new folder C:\Tools. Grant administrative access to this folder to the service account that Azure DevOps agent service runs under.
Copy Script
Copy Invoke-OwaspDependencyCheck.ps1 to Agent.HomeDirectory (e.g. C:\agent).
<#
.SYNOPSIS
Runs OWASP Dependency-Check.
.DESCRIPTION
This script if required will install or upgrade the OWASP Dependency-Check based on DevOps variable group configuration.
Subsequently it will run the tool against the sources for the project.
.EXAMPLE
PS> .\Invoke-OwaspDependencyCheck.ps1
Runs OWASP Dependency-Check
.NOTES
Author: Lucas Jackson
Date: December 18, 2023
#>
$ErrorActionPreference = 'Stop'
# Verify the url is the same as expected version, without this check it could force unnecessary re-install of OWASP Dependency-Check on each run.
If(!($env:ODC_URLDOWNLOAD -like "*$env:ODC_REQUIREVERSION*")) {
Write-Host "Please verify variable group values, there is a version mismatch between odcUrlDownload and odcRequireVersion.`nThese two variables should be in alignment.`n`nodcUrlDownload: $env:ODC_URLDOWNLOAD`nodcRequireVersion: $env:ODC_REQUIREVERSION`n`nExiting."
exit 1
}
# Look for OWASP Dependency-Check CLI and verify version.
If(Test-Path "$env:ODC_PATHCLI") {
Write-Host "Executable found: $env:ODC_PATHCLI`n"
$versionCli=Invoke-Expression "$env:ODC_PATHCLI -v"
Write-Host $versionCli
If($versionCli -like "*$env:ODC_REQUIREVERSION*") {
Write-Host "Version is as expected: v$env:ODC_REQUIREVERSION`n"
}
Else {
Write-Host "Version mismatch, expected: v$env:ODC_REQUIREVERSION`nRe-installing.`n"
$flagInstall = $true
}
}
else {
Write-Host "Executable not found. Will attempt install.`n"
$flagInstall = $true
}
# If install flag is raised, OWASP Dependency-Check will be downloaded and installed.
If($flagInstall) {
Write-Host "Downloading OWASP Dependency-Checker from $env:ODC_URLDOWNLOAD`n"
Invoke-WebRequest $env:ODC_URLDOWNLOAD -OutFile "$env:AGENT_TEMPDIRECTORY\dependency-check.zip"
if($env:ODC_PATHDELETE -like "*dependency-check*") {
Write-Host "Deleting $env:ODC_PATHDELETE if it exists.`n"
Remove-Item -Path $env:ODC_PATHDELETE -Force -Recurse -ErrorAction SilentlyContinue
}
Write-Host "Extracting to $env:ODC_PATHINSTALL.`n"
Add-Type -AssemblyName System.IO.Compression.FileSystem ; [System.IO.Compression.ZipFile]::ExtractToDirectory("$env:AGENT_TEMPDIRECTORY\dependency-check.zip", "$env:ODC_PATHINSTALL")
}
# Run OWASP Dependency-Check against the sources directory for the project and produce a report in the Agent temp directory for artifact publishing.
Write-Host "Running OWASP dependency-check"
Invoke-Expression "$env:ODC_PATHCLI --project '$env:ODC_PROJECTNAME' --scan '$env:BUILD_SOURCESDIRECTORY' --out '$env:BUILD_ARTIFACTSTAGINGDIRECTORY' --format HTML --format JSON --format JUNIT --nvdApiKey '$env:ODC_NVDAPIKEY'"
Variable Group Configuration
Create/update the variable group OWASP.DEPENDENCYCHECK. Use the table below as a reference.
Variable | Value | Description |
---|---|---|
odcPathCli | C:\tools\dependency-check\bin\dependency-check.bat | Path to the command line interface |
odcPathDelete | C:\tools\dependency-check | Path to delete if upgrade is required |
odcPathInstall | C:\tools | Install path |
odcRequireVersion | 9.0.5 | The version required on the server (must match odcUrlDownload) |
odcUrlDownload | https://github.com/jeremylong/DependencyCheck/releases/download/v9.0.5/dependency-check-9.0.5-release.zip | Url of the Dependency-Check cli hosted on GitHub |
odcNvdApiKey | {apiKey} | NVD API Key for NIST |
odcRequireVersion and odcUrlDownload must be in alignment (i.e. if odcRequireVersion is v9.0.5 then odcUrlDownload should reference v9.0.5 release package).
There is logic within Invoke-OwaspDependencyCheck.ps1 to validate this.
For odcNvdApiKey, you can request a key via NVD API Key Request.
Install
Invoke-OwaspDependencyCheck.ps1 will take care of the installation if it is required. The script has logic to handle the installation of DependencyCheck. There is no need to manually run the script, just run it from build pipelines as outlined later in this post.
Upgrade
To upgrade DependencyCheck to a newer release simply update the variables odcRequireVersion and odcUrlDownload outlined in Variable Group Configuration. Invoke-OwaspDependencyCheck.ps1 has the logic to handle the entire upgrade process (unless the way it is packaged is altered in the future).
Azure DevOps Integration
This section covers the requirements for integration within Azure DevOps application pipeline.
Variable Group and Variables
This integration requires consuming a variable group called OWASP.DEPENDENCYCHECK and a local build variable called odcProjectName within the build pipeline. Update the value of odcProjectName to the name of the application/project/initiative. This is the name that will be used for the report.
Add this variables YAML snippet to the build pipeline.
variables:
- group: 'OWASP.DEPENDENCYCHECK' # variable group required for Dependency-Check integration
- name: 'odcProjectName'
value: '{application-name-here}' # update this value
Azure Pipeline Task
Use the YAML snippet below and add it to your build pipeline. View the sample pipeline to see how to structure the build stages with your existing build pipeline.
- stage: DependencyCheck
pool: 'OWASP'
jobs:
- job: DependencyCheckCli
steps:
# Run OWASP Dependency-Check PowerShell script.
- task: PowerShell@2
displayName: Run OWASP Dependency-Check
inputs:
targetType: 'filePath'
filePath: '$(Agent.HomeDirectory)\Invoke-OwaspDependencyCheck.ps1'
env:
ODC_PROJECTNAME: $(odcProjectName)
ODC_PATHCLI: $(odcPathCli)
ODC_PATHDELETE: $(odcPathDelete)
ODC_PATHINSTALL: $(odcPathInstall)
ODC_REQUIREVERSION: $(odcRequireVersion)
ODC_URLDOWNLOAD: $(odcUrlDownload)
ODC_NVDAPIKEY: $(odcNvdApiKey)
# Publish OWASP Dependency-Check JUnit test results.
- task: PublishTestResults@2
displayName: Publish ODC Test Results
inputs:
testResultsFormat: 'JUnit'
testResultsFiles: '**/*junit.xml'
searchFolder: '$(Build.ArtifactStagingDirectory)'
testRunTitle: 'OWASP Dependency-Check'
# Publish OWASP Dependency-Check files as an artifacts.
- task: PublishPipelineArtifact@1
displayName: Publish ODC Artifacts
inputs:
targetPath: '$(Build.ArtifactStagingDirectory)'
artifactName: OwaspDependencyCheck
Results
Upon completion of a successful OWASP Dependency-Check, the results will be published as an artifact for the build. Additionally test results will be published on the Tests tab.
References
- OWASP Dependency-Check
- dependency-check-cli Installation
- dependency-check-cli Releases
- dependency-check Documentation
- dependency-check DevOps Overview
- File Type Analyzers
- False Positives
- About
- Sample Report
- National Vulnerability Database (NVD)
- NVD API CVE Data Schema
- NVD API Key Request