Integrate OWASP Dependency Check into CI/CD

What is OWASP Dependency Checker?

Dependency Check is a popular open-source security scanning tool from OWASP and Jeremy Long.  Dependency Check is excellent at finding third-party libraries used by a codeline which contain known vulnerabilities. Dependency Check uses the NVD data feeds to check for the latest known vulnerabilities.

Security Stage SCA (Software Composition Analysis)
Type OpenSource
Languages Java, .Net, Python, Ruby, PHP, Node.js, C/C++
Site https://jeremylong.github.io/DependencyCheck/

 

Pre-requisite

1 You'll need a Git address to scan

How do I set it up?

Adding OWASP Dependency to your set of security tests makes sense when you are checking source code repos. You will add this testing tool to a version (security stage) that is set up to run static code analysis tests.

  • Click on the application you wish to add the tool for, and edit the version (stage) configuration.

EditStage-1

  • Ensure that the version's 'Uri' is set to the Git URL of the repo being tested (either through the Uleska UI, or via the CLI/API). This will include the branch and auth details needed.

SASTSetup

  • Click 'Save'
  • Create a new Toolkit (or edit an existing one) by following the Creating a Toolkit guide and selecting 'Dependency Checker' as a tool.

depcheck

  • Note that no 'Connection Name' is needed for OWASP Dependency Checker, so ignore this setting.
  • Click Save.

Now any time you click 'Test Now' with this ToolKit, or make a request over the Uleska API or CLI with this ToolKit, the OWASP Dependency Check tool will be included in the test run and any results added to your vulnerabilities list.

Notes

The Uleska Platform does not currently set suppression files for the OWASP Dependency Check tool, instead users can set any found issues as false positives using the Uleska vulnerability management UI.