An all-in-one Docker image for OWASP DependencyCheck fully initialized with the NIST database of the day. You can use this image directly in your pipeline without having to download and wait for an initialized database.
Running DependencyCheck locally on your machine works fine, run it once it will download/initialize the cache, etc and the next time you run it, it will have the cache ready and it will run pretty fast.
However, when you want to use it in a CI environment things become a bit more complicated, you don't want to download the database each and every time. For one it takes time, second, if you do this too often it will result in HTTP/429 - too many requests. There are solutions available that include a database but then you still need to set up the central database, a quote from the website:
WARNING: This discusses an advanced setup and you may run into issues.
If you are already running in a CI environment running with Docker images you can also create a ready-to-go image that includes the database and includes the scanner.
This image was created based on a personal itch, setting it up in a pipeline took too much time, and running a Docker image on for example a Kubernetes cluster to which the client connects feels like too much effort to me.
- Easy to use
- Every day there is a new image waiting to be used in your CI environment
- No need to mount the directory which contains a copy of the database to run the Docker image it is all available in the image
- Scanner runs offline (database is contained in the image)
- Fast (no need to wait to download the CVEs)
- No need to set up a database with persistent storage etc to hold the configuration.
- No need to configure a central database as described here.
The Github actions for this project run every day the images will be tagged by date as follows: yyyyMMdd and latest will always point to today. This repository contains a trigger that will run each day at 0:00 UTC.
So make sure you are fine with running OWASP dependency check with a 1-day old database at max!
The image is at most 1 day old, if you need to update more often you cannot use this image. Make sure to discuss this upfront with your security team.
Use:
docker pull nbaars/owasp-dependency-check-as-one:latest
docker run -v ${HOME}/.m2:/home/owasp/.m2 -v ${PWD}/demo-project:/workspace nbaars/owasp-dependency-check-as-one:latest ./mvnw dependency:copy-dependencies && dependency-check --data /data --scan /workspace --noupdate
Important are the two mount points, the first one mounts the local .m2 directory, this will prevent DependencyCheck from downloading Maven artifacts over and over. When using a CI tool it is recommended to mount the .m2 cache. The project to be scanned is mapped in /workspace which is the working directory set in the Dockerfile.
You can pass any command-line option you are used to.
If your project includes a Maven wrapper you can run:
docker pull nbaars/owasp-dependency-check-as-one:latest
docker run -v ${HOME}/.m2/:/home/owasp/.m2 -v ${PWD}/demo-project:/workspace nbaars/owasp-dependency-check-as-one:latest ./mvnw org.owasp:dependency-check-maven:6.1.6:aggregate -DautoUpdate=false -DdataDirectory=/data
In your .gitlab-ci.yml add the following job:
OWASP dep check:
image: nbaars/owasp-dependency-check-as-one
stage: build
script:
# Download all dependencies so they are available for OWASP Dependency-Check
- ./mvnw $MAVEN_CLI_OPTS dependency:copy-dependencies
# Run the CLI and pass the current directory (automatically checked out by the Gitlab pipeline) as project to scan
# Other options can be passed depending on your project setup (https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html)
- dependency-check --data /data --scan ./ --noupdate --disableBundleAudit --disableRubygems --failOnCVSS 8
artifacts:
when: always
paths:
# Make the project available as artifact so you can view it
- "dependency-check-report.html"
expire_in: 1 week
Or with Maven:
OWASP maven:
image: nbaars/owasp-dependency-check-as-one
stage: build
script:
# Run dependency-check with Maven, other options can be passed see https://jeremylong.github.io/DependencyCheck/dependency-check-maven/configuration.html
- ./mvnw $MAVEN_CLI_OPTS org.owasp:dependency-check-maven:6.1.6:aggregate -Dformat=ALL -DautoUpdate=false -DdataDirectory=/data -DfailBuildOnAnyVulnerability=true -DbundleAuditAnalyzerEnabled=false
artifacts:
when: always
paths:
# Make the project available as artifact so you can view it
- "target/dependency-check-report.html"
expire_in: 1 weekAn example can be found here
If you want to use this image in Github, use the following:
You can also use this image in your own Docker image you create to for example build your project. Copy the folder /dependency-check to your image. Make sure your base image does contain a JVM as Dependency Check needs it.
You can check the Dockerfile as this image uses a multistage as well.