A few days ago, due to the widely mentioned Log4Shell, I had to first work on detecting if some projects were impacted by said vulnerability, and incidentally, detecting other possible existing vulnerabilities. In some applications it was easy to detect it since the vulnerable dependency is directly added by the project, but on many other occasions, the problems were in transitive dependencies, indirectly added by other libraries.
This is why the solution was to add the plugin “owasp-dependency-check” in maven or gradle. This plugin uses the NVD database of detected vulnerabilities. Generates a tree of all dependencies in the project (including transitive ones) and checks for each of them, if a vulnerability has been detected. Finally it generates a report with the summary of detected vulnerabilities.
It is very easy to add, and I think it should be a good practice to include it in those projects or applications that have code in production.
Maven
For maven, you only have to add the plugin and indicate the goal “check” if we want it to run automatically when building the project.
<project> ... <build> ... <plugins> ... <plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> <version>6.5.1</version> <executions> <execution> <goals> <goal>check</goal> <!--optional--> </goals> </execution> </executions> </plugin> ... </plugins> ... </build> ... </project>
Since the verification may take a few seconds, it is possible not to indicate that configuration executions / execution / goals / goal / check
and to execute the verification manually only when we want it through the command line mvn dependency-check:check
.
Or if you have a multi-module project, you can include the plugin in the parent pom
, and use the goal aggregate
so that it verifies all the sub-modules and generates a single report with the result of all of them. In command line use the following mvn dependency-check:aggregate
Gradle
In Gradle, it is simple enough to add the plugin in the build.gradle
file
plugins { id "org.owasp.dependencycheck" version "6.5.1" }
If we want to execute it from the command line we can use gradle dependencyCheckAnalyze
to verify the project. Now, if we have a multi module project, the plugin can be added to the parent project and run gradle dependencyCheckAggregate
, in this way all the sub modules are verified and a report with the result of all of them is generated.
Settings
The plugin is very configurable, among the most important options to mention is the possibility of failing the build if a vulnerability of a certain level is detected (which is very useful for a development model with continuous integration), also on some occasions it can detect a vulnerability that has no solution and you do not want it to appear in the report, so it can be suppressed.
Fail when detecting a vulnerability
The vulnerabilities have a level from 0 to 10, depending on how critical or not they are.
Level | Value |
---|---|
None | 0.0 |
Low | 0.1-3.9 |
Medium | 4.0-6.9 |
High | 7.0-8.9 |
Critical | 9.0-10.0 |
As a good practice, it is advisable to avoid having High and Critical vulnerabilities, that is, with a value of 7.0
or higher. By default the plugin fails to build when detecting vulnerabilities with a value of 11
which is not possible in practice, so it never fails.
<plugin> ... <configuration> <failBuildOnCVSS>7</failBuildOnCVSS> </configuration>
dependencyCheck { failBuildOnCVSS=7 }
Suppress a vulnerability
For different reasons we could decide to suppress a vulnerability. For example:
- It is a false positive, a dependency is detected as vulnerable but that dependency is not really vulnerable.
- There is no workaround for the vulnerability in said dependency.
In these cases, the plugin allows you to indicate a file with the list of vulnerabilities or libraries to be suppressed.
<configuration> <suppressionFiles> <suppressionFile>http://example.org/suppression.xml</suppressionFile> <suppressionFile>project-suppression.xml</suppressionFile> </suppressionFiles> </configuration>
dependencyCheck { suppressionFiles=["http://example.org/suppression.xml","project-suppression.xml"] }
For more information on the format and structure of a suppression file this page is helpful.
Conclusion
Definitely, security in applications is a topic that should not be neglected, and this plugin makes it very easy to stay alert to existing vulnerabilities in our code.
References
- https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/index.html
- https://en.wikipedia.org/wiki/Log4Shell
- https://jeremylong.github.io/DependencyCheck/general/suppression.html
thanks