The problem of unsecure software is a leading technical challenge of our time. To provide robust, fault tolerant software is key priority of the organization. In this blog we will be discussing in brief about OWASP tool and demonstrating how to integrate OWASP dependency check tool with Jenkins to scan vulnerability in early phases of development.

Vulnerable software is major concern to companies, and it can lead to major loss to the users. Recently on December 9^th, 2021, a 0-day exploit in the popular Java logging library log4j2 was discovered that resulted in Remote Code Execution (RCE) by logging a certain string. – CVE-2021-44228. This vulnerability got fixed in log4j 2.15.0.

After that two new vulnerabilities named, CVE-2021-45046 and CVE-2021-45105, were introduced in log4j2, and they were fixed in the latest log4j2 version 2.17.0.

(*CVE – Common Vulnerabilities and Exposures)

            OWASP ( Open Web Application Security Project ) dependency tool is free, opensource tool which you can integrate to detect vulnerabilities in project dependencies. It easily integrates with Maven, Gradle, Jenkins with plugins. 

How dependency check detects vulnerabilities?

OWASP Dependency-Check identifies vulnerabilities using Analyzers. These are dedicated open-source projects that execute the entire dependency scanning process on list of repositories defined.

It collects evidence in the form of vender, product and version information from Karlo files scanned by its analyzers and it assigned a confidence level of low, medium, high, or highest according to its reliability.

How to Integrate with Jenkins?

1. First step is to go to the Jenkins dashboard, select Manage Jenkins->Manage Plugins option, and install the OWASP Dependency-Check Plugin.

2. Second step is to install the dependency-check tool from the Jenkins Global Tool Configuration under the System Configuration. In the Jenkins dashboard, select Manage Jenkins->Global Tool Configuration option, and scroll down to the last you will find the Dependency Check Installation block. 

     3. Click on Add Dependency Check and enter the name for the installation tool e.g. (OWASP Dependency-Check Vulnerabilities) make sure to give a relevant name.

Check the Install automatically box and select the Add Installer then click on the Dependency-check from the dropdown menu and select the version. Then, click on Apply & Save.

1.   4. Scan results: The results are listed in an HTML or XML report, and you are left to interpret the results and take appropriate action.

Dependency-Check provides the following data in its report about vulnerabilities it discovers:

Dependency – filename of the dependence scanned

CPE – Common Platform Enumeration identifiers

CVE Count – number of associated CVEs

CPE Confidence – reliability of CPE identified

Evidence count – data extracted from dependency that was used to identify CPE.

Conclusion :

The OWASP Dependency-Check is a powerful tool that can help identify and mitigate security issues related to the use of third-party libraries in software projects. It is easy to set up and use and offers numerous use cases, including identifying.

Author Details:  Kirankumar Banait (Kirankumar.Banait@ibm.com)
Reviewer Details: Boudhayan Chakrabarty (bochakra@in.ibm.com)