Identifying vulnerability risks is an important issue for many business projects. In this post, we’ll show how to integrate OWASP Dependency-Check in a Spring boot API and Jenkins Pipeline.

· Prerequisites
· Overview
∘ What is OWASP Dependency-Check?
∘ Why use OWASP Dependency-Check?
∘ How does dependency-check work?
· Getting Started
∘ OWASP Dependency Check In Maven project
∘ OWASP Dependency Check In Jenkins Pipeline
· Conclusion
· References

Prerequisites

This is the list of all the prerequisites:

Spring Boot 3+
Maven 3.6.+
A Jenkins server is already up and running
A GitHub repository
Git

Overview

What is OWASP Dependency-Check?

OWASP dependency-check is an open-source solution that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.

Why use OWASP Dependency-Check?

It’s open source
Easy to use
OWASP dependency-check core analysis engine can be used as Ant Task, Command Line Tool, Gradle Plugin, Jenkins Plugin, Maven Plugin (Maven 3.1 or newer required), SBT Plugin
It contains several file-type analyzers that are used to extract identification information from the files analyzed.

How does dependency-check work?

Dependency-check works by collecting information about the files it scans (using Analyzers). The information collected is called Evidence; there are three types of evidence collected: vendor, product, and version.
For instance, the JarAnalyzer will collect information from the Manifest, pom.xml, and the package names within the JAR files scanned and it has heuristics to place the information from the various sources into one or more buckets of evidence.

Getting Started

OWASP Dependency Check In Maven project

We will start by creating a simple Spring Boot Maven project from start.spring.io. Then, we need to add the dependency-check plugin in the maven pom.xml file.

<build>
    <plugins>
  
       <plugin>
          <groupId>org.owasp</groupId>
          <artifactId>dependency-check-maven</artifactId>
          <version>9.0.0</version>
          <executions>
             <execution>
                <goals>
                   <goal>check</goal>
                </goals>
             </execution>
          </executions>
       </plugin>

    </plugins>
</build>

We can run the plugin using the following command:

mvn org.owasp:dependency-check-maven:check

It is important to understand that the first time this task is executed it may take 20 minutes or more as it downloads and processes the data from the National Vulnerability Database (NVD) hosted by NIST: https://nvd.nist.gov

After the first batch download, as long as the plug-in is executed at least once every seven days the update will only take a few seconds.

The dependency-check plugin is, by default, tied to the verify or site phase depending on whether it is configured as a build or reporting plugin.

Once the OWASP Dependency-check-maven plugin is scanned, it generates a report in HTML format with all the vulnerabilities found in the application’s dependencies.

Open the “target/dependency-check-report.html” file in the web browser to view the analysis report.

It looks like this:

Dependency-check Maven Goals

aggregate: Runs dependency-check on all child projects and generates a single report.
check: Runs dependency-check on the project and generates a report.
update-only: Updates the local cache of the National Vulnerability Database (NVD) from NIST.
purge: Deletes the local copy of the NVD, forcing a refresh of the data.

There are several configurations that we can use with the OWASP dependency-check-maven plugin. More information in the full documentation.

OWASP Dependency Check In Jenkins Pipeline

In this section, we will integrate OWASP Dependency Check into the CI/CD process with Jenkins.

The first step is the OWASP Dependency-Check installer plugin. For that, GO to Manage Jenkins > Manage Plugins option, and install the OWASP Dependency-Check Plugin.

The second step is the Dependency-Check installations in Global configuration. Go to Manage Jenkins > Global Tool Configuration scroll down to Dependency-Check and click Add Dependency-Check.

Enter the name of the installation tool and Save.

One or more Dependency-Check versions can be installed via the Jenkins Global Tool Configuration. The installation of Dependency-Check can be performed automatically, which will download and extract the official Command-Line Interface (CLI) from Github, or an official distribution can be installed manually, and the path to the installation referenced in the configuration.

The final step is to add a step in the Jenkinsfile pipeline regarding dependency checking.

stage('OWASP Dependency-Check') {
    steps {
        dependencyCheck additionalArguments: '''
                    -o './'
                    -s './'
                    -f 'ALL'
                    --prettyPrint''', odcInstallation: 'OWASP-DP-CHECK'

        dependencyCheckPublisher pattern: 'dependency-check-report.xml'
    }
}

Make sure the odcInstallation value should be the same name as you have entered in the Jenkins Dependency-Check Installation.

The Dependency-Check report is available for each build.

Congratulations! OWASP Dependency Check is well configured in Jenkins.

Conclusion

In this post, we have seen how to integrate OWASP Dependency-Check in a Spring boot API and Jenkins Pipeline.

The complete source code is available on GitHub.

You can reach out to me and follow me on Medium, Twitter, GitHub

Thanks for reading!

References

👉 Link to Medium blog

OWASP Dependency Check with SpringBoot and Jenkins Pipeline