entur/owasp-orb

CircleCI Orb for running OWASP depenency check plugin for Maven and Gradle builds

owasp-orb

A Circle CI orb using OWASP Dependency Check to check for components with known security-vulnerablities. Supported variants:

• Gradle plugin
• Maven plugin
• Command Line Tool

Usage

Import the orb

orbs:
  owasp: entur/owasp@0.0.x

where x is the latest version from the orb registry.

Default executor

To use the default executor, Docker Hub credentials must be set as the environment variables $DOCKERHUB_LOGIN and $DOCKERHUB_PASSWORD.

Gradle

Configure a job

workflows:
  version: 2.1
  build:
    jobs:
      - owasp/gradle_owasp_dependency_check:
          executor: java_11
          context: global

Then add OWASP Gradle Plugin to your gradle build:

plugins {
    id 'org.owasp.dependencycheck' version '6.5.1'
}

dependencyCheck {
    analyzedTypes = ['jar'] // the default artifact types that will be analyzed.
    format = 'ALL' // CI-tools usually needs XML-reports, but humans needs HTML.
    failBuildOnCVSS = 7 // Specifies if the build should be failed if a CVSS score equal to or above a specified level is identified.
    suppressionFiles = ["$projectDir/dependencycheck-base-suppression.xml"] // specify a list of known issues which contain false-positives
}

Details

The default OWASP plugin task is dependencyCheckAnalyze, for using other tasks, add a task parameter as so:

workflows:
  version: 2.1
  build:
    jobs:
      - owasp/gradle_owasp_dependency_check:
          executor: java_11
          context: global
          task: dependencyCheckAggregate

where task is one of dependencyCheckAnalyze, dependencyCheckAggregate, dependencyCheckUpdate, and dependencyCheckPurge.

Alternatively, use the wrapped_gradle_steps command to customize further.

Maven

Configure a job

workflows:
  version: 2.1
  build:
    jobs:
      - owasp/maven_owasp_dependency_check:
          executor: java_11
          context: global

Then add OWASP Maven Plugin to your Maven build:

<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <version>6.5.1</version>
    <configuration>
        <format>all</format>
        <failBuildOnCVSS>7</failBuildOnCVSS>
    </configuration>
    <executions>
        <execution>
            <!-- run only using explicit command -->
            <id>check</id>
            <phase>none</phase>
        </execution>
    </executions>
</plugin>

Details

The default OWASP plugin task is check, for using other tasks, add a task parameter as so:

workflows:
  version: 2.1
  build:
    jobs:
      - owasp/maven_owasp_dependency_check:
          executor: java_11
          task: aggregate
          context: global

Maven multi-module projects

The dependency plugin currently is not able to resolve artifacts before they are built. If internal submodule dependencies cannot reached in the build, add a few wrapped_pre_steps to do so.

workflows:
  version: 2.1
  build:
    jobs:
      - owasp/maven_owasp_dependency_check:
          executor: java_11
          context: global
          wrapped_pre_steps:
            - run:  mvn install -Dmaven.test.skip=true

Alternatively, use the wrapped_maven_steps command to customize further.

Command Line Tool

Configure a job

workflows:
  version: 2.1
  build:
    jobs:
      - owasp/commandline_owasp_dependency_check:
          executor: java_11
          context: global

Details

The default OWASP arguments is --scan ./, for using other commands, add an arguments parameter as so:

workflows:
  version: 2.1
  build:
    jobs:
      - owasp/commandline_owasp_dependency_check:
          executor: java_11
          arguments: "--scan ./ --failOnCVSS 7 --suppression ./dependency-check-suppressions.xml"
          context: global

See the arguments page for further details. Note that --format, --data and --noupdate arguments are already appended by this orb (updating the database is performed in an individual previous step).

Use no_output_timeout parameter to avoid "Too long with no output (exceeded 10m0s): context deadline exceeded" error

Caching

The OWASP plugin checks for updates to its database every four hours, and the database is cached by the orb like so:

• Year
• Quarter (12 weeks)
• Month (4 weeks)
• Week
• Day
• 12 hours
• 4 hours

So for each working day, the first builds (in the morning) will check for updates, and last for four hours with potential cache refreshes every four clock hours (at 9, 13, 17, 21 and so on). In other words, the OWASP plugin will check for updates whenever four hours have passed, and will be able to persist those updates to CircleCI cache in maximum four hours - a compromise between time spent saving cache and time spent checking for updates.

Data directory

Use the orb parameter cve_data_directory to configure non-standard data directory. Note that for Gradle builds this is necessary for plugin version <= 5.1.0.

Configuration examples (using default directories):

Gradle

dependencyCheck {
    data {
        // must correspond with CircleCI-configuration
        directory = System.properties['user.home'] + "/.gradle/dependency-check-data" 
    }
}

for cve_data_directory parameter value ~/.gradle/dependency-check-data.

Maven

<configuration>
    <!-- must correspond with CircleCI-configuration -->
    <dataDirectory>${user.home}/.m2/repository/org/owasp/dependency-check-data</dataDirectory>
</configuration>

for cve_data_directory parameter value ~/.m2/repository/org/owasp/dependency-check-data.

Further reading

See the orb source or CircleCI orb registry for further details.