https://blog.lanyonm.org/articles/2015/12/22/continuous-security-owasp-java-vulnerability-check.html
https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html
https://www.owasp.org/index.php/OWASP_Dependency_Check
https://nvd.nist.gov/vuln/data-feeds
just run
mvn dependency-check:check
and you get a great report with all the vulnerabilities in your dependencies.... fantastic! Even a Jenkins plugin is available, so you don't need to modify all your poms.
To install it as Jenkins Plugin, install these plugins:
http://updates.jenkins-ci.org/latest/dependency-check-jenkins-plugin.hpi
https://updates.jenkins.io/latest/token-macro.hpi
https://updates.jenkins.io/latest/analysis-core.hpi
https://updates.jenkins.io/latest/dashboard-view.hpi
https://updates.jenkins.io/latest/maven-plugin.hpi
http://updates.jenkins-ci.org/latest/apache-httpcomponents-client-4-api.hpi
http://updates.jenkins-ci.org/latest/javadoc.hpi
http://updates.jenkins-ci.org/latest/jsch.hpi
Interesting post on how to configure a separate jenkins task just to update the NIST repos in a common folder https://medium.com/@PrakhashS/checking-vulnerabilities-in-3rd-party-dependencies-using-owasp-dependency-check-plugin-in-jenkins-bedfe8de6ba8 to avoid checking for updates at every build.
A similar post goes here https://blog.dominikschadow.de/2015/07/using-owasp-dependency-check-as-jenkins-plugin/
A good test is to run it against the WebGoat https://github.com/WebGoat/WebGoat but the repo is heavy and you need a good internet connection
Here https://jeremylong.github.io/DependencyCheck/general/dependency-check.pdf a presentation of the plugin by Jeremy Long (OWASP)
Wednesday, October 18, 2017
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment