Safeguarding Your Code: The Critical Importance of Dependency Scanning
Today’s applications rely heavily on libraries and frameworks, yet the risks posed by vulnerabilities in these components are often underestimated. A single vulnerable library can grant attackers full control over an application, compromising data, transactions, files, and even Internet communication. The Log4j Vulnerability in 2021 highlighted the severity of such risks, allowing attackers to execute arbitrary code and leading to widespread exploitation and data breaches. Despite this, research shows that a significant number of cloud enterprise environments remain vulnerable, with patching rates lagging behind vulnerability disclosures.
Why does dependency scan matter?
In large enterprises, running several teams, it is quite difficult to manage and keep track of each dependency developers are using. One way to address this problem is to find an automated way that can be baked into the devops process of enterprises to scan and raise alerts whenever vulnerable libraries are found.
What are the benefits of scanning for vulnerable dependencies based on a CI approach?
Generally, you can’t trust people to maintain their libraries; but being able to detect it in an automated fashion makes the job much easier. Besides the obvious security reason, as a dev team, you also want:
- Find the vulnerabilities and patch them early in the application life cycle that later, risking of causing delays / missed deadlines
- Compliance, many regulatory standards and frameworks require organizations to manage and secure their dependencies. Dependency scanning helps ensure compliance with these requirements.
- Open-Source Risk Management, Many applications rely heavily on open-source components, which can introduce security risks. Dependency scanning helps manage these risks by identifying and addressing vulnerabilities in open-source dependencies.
How can the Owasp dependency check help?
Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries. [2]
Dependency-Check offers multiple integration options, including a command line interface, a Maven plugin, an Ant task, and a Jenkins plugin. Its core engine uses analyzers to inspect project dependencies and collect information (referred to as evidence) about them. This information is used to identify the Common Platform Enumeration (CPE) for each dependency. If a CPE is found, Dependency-Check lists associated Common Vulnerability and Exposure (CVE) entries in its report. Additionally, the tool leverages third-party services and data sources like the NPM Audit API, the OSS Index, RetireJS, and Bundler Audit for specific technologies.
Example of scanning a maven project
- Install Dependency-Check: Download and install OWASP Dependency-Check from the official website or use a package manager if available for your operating system.
- Set Up the Java Project:
- Add the OWASP Dependency-Check Maven plugin to your Java project’s pom.xml file:
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>7.1.1</version>
</plugin>
</plugins>
</build>- Run the mvn dependency-check:check command in your project directory to scan dependencies for vulnerabilities.
Example of scanning an Angular project
- Install the OWASP Dependency-Check CLI tool in your Angular project:
- npm install -g dependency-check
- Run the dependency-check –project <path_to_project> command in your Angular project directory to scan dependencies for vulnerabilities.
Viewing the results
View the Scan Results: The scan results will be generated in HTML format, typically in a target directory for Java projects and a reports directory for Angular projects. Open the HTML report in a web browser to view the vulnerabilities found in your dependencies.
Running it as part of CI
There are plugins available for below which helps to make it’s usage in CI tools easier:
- Azure DevOps: https://marketplace.visualstudio.com/items?itemName=dependency-check.dependencycheck
- Sonar: https://github.com/dependency-check/dependency-check-sonar-plugin
- Circle CI: https://github.com/entur/owasp-orb
- Jenkins: https://plugins.jenkins.io/dependency-check-jenkins-plugin/
If you work in corporates and need to do things manually you can do everything via a bash task with below. It also downloads the unzip util and executes the downloads via a proxy.
wget https://github.com/jeremylong/DependencyCheck/releases/download/v8.4.0/dependency-check-8.4.0-release.zip
apt-get install unzip
unzip dependency-check-8.4.0-release zip -d dependency_check
dependency_check/dependency-check/bin/dependency-check.sh--project"Project name"--scan
node_modules --out dependency_check --proxyserver PROXYSERVERIP --proxyport PROXUSERVERPORT --format JUNITJnuit report
You can also convert the report to Jnuit format and also add a condition to fail your ci pieline based on a threshod. E.g. In Azure DevOps, you can use the publish test results task with the path of the report generated above to view the result in the pipeline.
You can also fail the pipeline if X number of vulnerabilities were found.
Use the following PowerShell script to count the number of failed tests and fail the pipeline if the count exceeds a certain threshold (replace X with your desired threshold):
param (
[string]$testResultPath,
[int]$failureThreshold
)
$testResults = Get-Content $testResultPath
$failedTests = ($testResults | Where-Object {$_ -like "*<TestResult outcome='Failed'*"}).Count
Write-Host "Total Failed Tests: $failedTests"
if ($failedTests -gt $failureThreshold) {
Write-Host "Failing the pipeline as the number of failed tests exceeds the threshold"
exit 1
}Owasp dependency check alternatives
| Tool | Advantage | Disadvantage |
| Snyk | Comprehensive security platform, actionable insights | Paid plans required for advanced features |
| WhiteSource | Security and compliance management platform | Paid plans required for advanced features |
| Sonatype Nexus Lifecycle | Advanced dependency scanning capabilities, integrates with CI/CD tools | Requires integration with Nexus platform |
| Black Duck (Synopsys) | Comprehensive open source security platform, integrates with CI/CD pipelines | Paid tool, requires setup and configuration |
| Veracode | Application security platform, detailed vulnerability information | Paid tool, may be more focused on application security testing |
| SafetyCulture | Security platform with dependency scanning capabilities | Less well-known, may have limited ecosystem support |
| GitHub Dependabot | Automated dependency version updates, integrated with GitHub | Primarily focuses on dependency version updates |
