Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Maven owasp dep update #776

Merged
merged 4 commits into from
Apr 6, 2020
Merged

Maven owasp dep update #776

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
30ff6bf
add pmd and owasp dependency check through -P owasp profile
zubcevic Apr 3, 2020
69f5cea
suppress full stack trace in log
zubcevic Apr 3, 2020
0e031e0
revert to spring 2.2.0 as 2.2.4 failed in travis
zubcevic Apr 4, 2020
2d74cc1
added owasp dependency check maven configuration details to vulenerable
zubcevic Apr 5, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
added owasp dependency check maven configuration details to vulenerable 
lesson page 7
  • Loading branch information
@zubcevic
zubcevic committed Apr 5, 2020
commit 2d74cc1d4f009402100c2c71e6bc0edc9ab72be9
2 changes: 1 addition & 1 deletion pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -244,7 +244,7 @@
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>5.3.1</version>
<version>5.3.2</version>
<configuration>
<failBuildOnCVSS>7</failBuildOnCVSS>
<skipProvidedScope>true</skipProvidedScope>
Expand Down
53 changes: 52 additions & 1 deletion ...components/src/main/resources/lessonPlans/en/VulnerableComponents_content4.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,58 @@

There are several open source and paid-for solutions that will identify risk in components. However, there are not many tools that will deliver a complete list of "ingredients" used within an application. OWASP Dependency Check provides the ability to generate a bill of materials and identify potential security risk.

Dependency check uses several pieces of evidence to determine the library names. Below is a snippet of a report:
Dependency check uses several pieces of evidence to determine the library names. You can add OWASP Dependency check as a plugin to the pom.xml of a Maven project for instance. The plugin will download information from public vulnerability databases and it will check if vulnerable libraries are used and will indicate which vulnerability was reported.

As part of a development pipeline, you can instruct the plugin to fail the build if there are violations that the development team was not aware of. Additionally you can use an xml file to waiver some of the violations. You should do so if the mentioned vulnerability cannot be exploited in your application.

In the parent pom.xml from WebGoat you can see an example:

[source,xml]
----
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>5.3.2</version>
<configuration>
<failBuildOnCVSS>7</failBuildOnCVSS>
<skipProvidedScope>true</skipProvidedScope>
<skipRuntimeScope>true</skipRuntimeScope>
<suppressionFiles>
<suppressionFile>project-suppression.xml</suppressionFile>
</suppressionFiles>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
----

And also an example of the suppressed violations.

[source,xml]
----
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress base="true">
<cpe>cpe:/a:pivotal_software:spring_security</cpe>
<cve>CVE-2018-1258</cve>
</suppress>
<suppress base="true"><!-- webgoat-server -->
<cpe>cpe:/a:postgresql:postgresql</cpe>
<cve>CVE-2018-10936</cve>
</suppress>
</suppressions>
----

In the case of WebGoat, the plugin is activated when the following is run (owasp profile):

mvn clean install -Powasp

Below is a snippet of a report, which can be found in e.g. webgoat-container/target/dependency-check-report.html:

image::images/OWASP-Dep-Check.png[caption="Figure: ", title="WebGoat Bill of Materials", alt="BoM", width="988", height="515", style="lesson-image"]

Expand Down