Recap of Part 1 thanks for joining once again. In the last post, I introduced the OWASP Dependency-Check tool briefly and discussed its increasing helpfulness in today's Software Engineering world due to the increasing integration of open source & third-party code. Summary Today we will take a look at how we can easily integrate the Dependency-Check into our existing CI/CD Pipeline or how we can create a standalone Dockerfile to run the Dependency-Check on demand. Tools / Requirements As for knowledge, it would be nice to have basic knowledge of how to run Dockerfiles but other than that there's not much required. As for tools we will use:
Docker Setup For the Setup, we'll start with the Dockerfile and then discuss how we can run it standalone or integrate it in an existing CI/CD pipeline. Dockerfile ####################
# FRONTEND DEPENDENCIES
####################

# we install the frontend dependencies to create a node_modules directory
FROM node:14 as frontend_dependencies
COPY path/to/package.json /frontend
WORKDIR /frontend
RUN npm i && npm ci

####################
# INSTALL DEPENDENCY CHECK
####################

# we download the dependency-check zip & unzip it
FROM ubuntu:14.04 as dependency_check_install
RUN apt-get update \
    && apt-get install -y wget unzip \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /app

RUN wget https://github.com/jeremylong/DependencyCheck/releases/download/v6.5.2/dependency-check-6.5.2-release.zip \
    && unzip dependency-check-6.5.2-release.zip \
    && rm dependency-check-6.5.2-release.zip

####################
# RUN DEPENDENCY CHECK
####################

# we require a Java image here to run the dependency-check
FROM openjdk:18-alpine as dependency_check

# add yarn for dependency check to run without errors
RUN apk add yarn

# copy dependency-check from the previous stage
COPY --from=dependency_check_install /dependency-check /dependency-check

# copy frontend node modules from the previous stage
COPY --from=frontend_dependencies /frontend/node_modules /frontend/node_modules


# copy backend python files to be checked
COPY path/to/pythoncode/src /backend

# this line is optional. It's only necessary if you wish to run the Dependency-Check standalone
RUN /dependency-check/bin/dependency-check.sh --scan . --out ./report Dockerfile explanation As for JS code, we need to initialize the node_modules from the package.json first As for the Python Backend code, we need to copy the .py files over into the Docker container and use the experimental mode for Python. By separating these steps into multiple Docker Stages we minimize the final Docker image size by excluding things such as node, wget, and unzip. Run Dependency-Check The last line in the Dockerfile that's commented as Optional runs the Dependency-Check. If we want to run the Dependency-Check on-demand outside a Pipeline we have to include this line here. It will scan all files in the directory and generate a report as HTML file. We can also specify another Output format such as JSON, CSV, ... This may be helpful if we have an automatic Analyser in place that can process JSON or CSV files. Jenkinsfile If we want to include this Scan in a CI/CD Pipeline we would do it as follows in a Jenkinsfile example: stage('Vulnerability Check') {
          stages {
            stage('OWASP dependency-check') {
              agent {
                dockerfile {
                  filename 'Dockerfile'
                }
              }
              steps {
                sh '/dependency-check/bin/dependency-check.sh --out ./report --scan /app --format HTML --format JSON --prettyPrint --enableExperimental --disableAssembly'
              }
              post {
                always {
                  archiveArtifacts "report/dependency-check-report.json"
                  archiveArtifacts "report/dependency-check-report.html"
                }
              }
            }
          }
        } Jenkinsfile explanation We specify the Dockerfile to be run. Don't forget to remove the last optional line in the Dockerfile if you use this approach Then we specify the command to be executed. The flags --format specify the outut format. The --enableExperimental flag enables python scanning. Finally we archive the results, so that we can view them later on in Jenkins. Output the generated .html will list the vulnerabilities and general information about the scan Thank you for reading so far! :) That's it for the little guide. If you have questions or anything is unclear feel free to leave a comment. Also if you like this article or find it interesting be sure to leave a like or share it with people who might be interested in the topic :) It would help me a lot. This article was first posted here

2022 - HackerNoon Contributor of the Year - Cicd

2022 - HackerNoon Contributor of the Year - Devops

2022 - HackerNoon Contributor of the Year - Docker

2022 - HackerNoon Contributor of the Year - Testing

Nominated for 2022 - HackerNoon Contributor of the Year - Devops

Nominated for 2022 - HackerNoon Contributor of the Year - Testing

Nominated for 2022 - HackerNoon Contributor of the Year - Docker

Nominated for 2022 - HackerNoon Contributor of the Year - Cicd

Too Long; Didn't Read

In your car, at home, or at work — Bosch technology shapes many areas of life.

Automatically Scan Your Project Dependencies for Vulnerabilities Using Docker, Jenkins (Part 2/2)

Automatically Scan Your Project Dependencies for Vulnerabilities Using Docker, Jenkins (Part 2/2)

Too Long; Didn't Read

Jochen Rui

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Automatically Scan Your Project Dependencies for Vulnerabilities Using Docker, Jenkins (Part 2/2)

Too Long; Didn't Read

Jochen Rui

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES