Solutions Delivery Platform

OWASP Dependency Check

The OWASP Dependency Check library will use the namesake tool to scan a project’s source code to identify components with known vulnerabilities.

Steps Provided

Table 1. Steps
Step Description

application_dependency_scan()

Uses the OWASP Dependency Check CLI to perform an application dependency scan

Library Configuration Options

Table 2. Owasp Dependency Check Library Configuration Options
Field Description Default Value

scan

ArrayList of Ant style paths to scan

[ '.' ]

exclude

ArrayList of Ant style paths to exclude

[ ]

cvss_threshold

A number between 0 and 10, inclusive, representing the failure threshold for vulnerabilities

will never fail unless a threshold is provided

image_tag

The tag for the scanner docker image used

latest

Example Configuration Snippet

libraries{
  owasp_dep_check {
    scan_target = [ "src" ]
    cvss_threshold = 9
  }
}

Viewing The Reports

The application_dependency_scan step archives artifacts in multiple formats: HTML, JSON, JUnit XML, and CSV.

CVSS Threshold & Scores

From the Wikipedia article, "The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities …​ Scores range from 0 to 10, with 10 being the most severe"

The pipeline has the ability to fail if vulnerability is detected at or above a given threshold. This threshold is set with the cvss_threshold configuration option. For example, if cvss_threshold is set to 7, and a vulnerabily with a CVSS score of 7.5 is detected, the pipeline will fail. If the vulnerability remains, but the cvss_threshold is set to 9, the pipeline will pass the OWASP Dependency Check scan.

If you wish for the scan to pass regardless of the CVSS scores of detected vulnerabilities, do not set the cvss_threshold option.

Troubleshooting

FAQ