Pentestguy

owasp-dependency-check-in-azure-devops

Dependency-Check in Azure DevOps

Shubham Nagdive

Hi everyone, In this post we are going to setup OWASP dependency-check in azure devops. As this process is the part of Software Composistion Analysis(SCA) which is really important phase in secure software development lifecycle. OWASP Dependency-Check is one of the popular SCA tool and implementing it in azure devops pipeline.

What is Software Composition Analysis?

Software Composition Analysis (SCA) is a process used in software development to examine and manage the third-party components and libraries used in a project. This helps prevent potential security vulnerabilities, compatibility issues, and legal risks down the line. So, SCA is basically about keeping track of what’s inside your software and making sure it’s all good stuff. There are many tools avalible like OWASP Dependency-Check, Retire.js, Synk.

OWASP Dependency Check

Dependency-Check is a tool used for Software Composition Analysis (SCA), aimed at identifying vulnerabilities publicly disclosed within a project’s dependencies. Its method involves checking if a Common Platform Enumeration (CPE) identifier exists for each dependency. Upon discovery, it generates a report that includes links to the relevant Common Vulnerabilities and Exposures (CVE) entries. Additionally, it utilizes the National Vulnerability Database (NVD) key to enhance its capability in detecting vulnerabilities within dependencies.

Use Vulnreable-Dependencies for demontration, which is a simple c# console application with vulerable dependencies. Free feel to modify it.

https://github.com/pentestguy/Vulnerable-Dependencies

Check the below image for structure of the repo in the azure devops.

vulnerable-dependency-repo-in-azure-pipeline

Clone repository into azure devops or use your own repository/project you are going to implement this test. After that create azure-pipeline.yml file and add the below code into it. In your case might be some more tasks are there, In this case we are only focusing on implementation of dependency-check and report generation.

trigger: none

jobs:
- job: buildandtest
  pool:
    name: 'Self-hosted'
  
  steps:
  - task: DotNetCoreCLI@2
    displayName: 'Restore NuGet packages - dotnet restore'
    inputs:
      command: 'restore'
      projects: '**/*.csproj'
    
  - task: DotNetCoreCLI@2
    displayName: Build the project - dotnet build
    inputs:
      projects: '**/*.csproj'
      arguments: '--configuration $(buildConfiguration) --no-restore'

  - task: dependency-check-build-task@6
    displayName: Dependency Checker - Security
    continueOnError: true
    inputs:
      projectName: 'Dependency.Check'
      scanPath: '**/*.csproj'
      format: 'HTML, JSON, JUNIT'
      failOnCVSS: '8'
      nvdApiKey: $(nvdapi)

  - task: PublishTestResults@2
    displayName: "Publish Dependency Checks Tests Results"
    inputs:
      testResultsFormat: 'JUnit'
      testResultsFiles: '$(Agent.BuildDirectory)/TestResults/dependency-check/*junit.xml'
      mergeTestResults: true

Make sure to add API key from National Vulnerability Database (NVD), for that use the link given below and provide the details and get your own NVD api key with in few minutes. This will avoid the rate limits from NVD.

https://nvd.nist.gov/developers/request-an-api-key

Dependency Check Code

Below code is for dependency check, do the needful changes like projectName, failOnCVSS and nvdApiKey.

- task: dependency-check-build-task@6
    displayName: Dependency Checker - Security
    continueOnError: true
    inputs:
      projectName: 'Dependency.Check'
      scanPath: '**/*.csproj'
      format: 'HTML, JSON, JUNIT'
      failOnCVSS: '8'
      nvdApiKey: $(nvdapi)

Publish JUnit Tests Result

Below code is for dependency check, do the needful changes like testResultsFiles. In some cases it might give an error so make sure to provide correct file path.

- task: PublishTestResults@2
    displayName: "Publish Dependency Checks Tests Results"
    inputs:
      testResultsFormat: 'JUnit'
      testResultsFiles: '$(Agent.BuildDirectory)/TestResults/dependency-check/*junit.xml'
      mergeTestResults: true

Create the pipeline from by choosing the existing pipeline yaml file and test it out whether it’s working or not.

dependency-check-pipeline-runs

After successfully run the pipeline, go to the tests tab and check for the result.

owasp-dependency-check-test-results

That’s all about this post. Please share this post with your co-workers and friends if you found it helpful. Please provide your valuable comments and let us know if there are any suggestions. Now you can also collaborate with us please check our collaboration page, thank you!

Recent Posts

Social Media