DEV Community

Cover image for Automatically scan your Project Dependencies for Vulnerabilities using Docker, Jenkins, ... (Part 2/2)
Jochen Rui
Jochen Rui

Posted on • Edited on

Automatically scan your Project Dependencies for Vulnerabilities using Docker, Jenkins, ... (Part 2/2)

Recap of Part 1

thanks for joining once again. In the last post I introduced the OWASP Dependency-Check tool briefly and discussed it's increasing helpfulness in today's Software Engineering world due to increasing integration of open source & third party code.


Summary

Today we will take a look at how we can easily integrate the Dependency-Check into our existing CI/CD Pipeline or how we can create a standalone Dockerfile to run the Dependency-Check on demand.


Tools / Requirements

As for knowledge it would be nice to have basic knowledge of how to run Dockerfiles but other than that there's not much required.

As for tools we will use:
Docker


Setup

For the Setup we'll start with the Dockerfile and then discuss how we can run it standalone or integrate it in an existing CI/CD pipeline.

Dockerfile

####################
# FRONTEND DEPENDENCIES
####################

# we install the frontend dependencies to create a node_modules directory
FROM node:14 as frontend_dependencies
COPY path/to/package.json /frontend
WORKDIR /frontend
RUN npm i && npm ci

####################
# INSTALL DEPENDENCY CHECK
####################

# we download the dependency-check zip & unzip it
FROM ubuntu:14.04 as dependency_check_install
RUN apt-get update \
    && apt-get install -y wget unzip \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /app

RUN wget https://github.com/jeremylong/DependencyCheck/releases/download/v6.5.2/dependency-check-6.5.2-release.zip \
    && unzip dependency-check-6.5.2-release.zip \
    && rm dependency-check-6.5.2-release.zip

####################
# RUN DEPENDENCY CHECK
####################

# we require a Java image here to run the dependency-check
FROM openjdk:18-alpine as dependency_check

# add yarn for dependency check to run without errors
RUN apk add yarn

# copy dependency-check from the previous stage
COPY --from=dependency_check_install /dependency-check /dependency-check

# copy frontend node modules from the previous stage
COPY --from=frontend_dependencies /frontend/node_modules /frontend/node_modules


# copy backend python files to be checked
COPY path/to/pythoncode/src /backend

# this line is optional. It's only necessary if you wish to run the Dependency-Check standalone
RUN /dependency-check/bin/dependency-check.sh --scan . --out ./report

Enter fullscreen mode Exit fullscreen mode

Dockerfile explanation

As for JS code we need to initialize the node_modules from the package.json first

As for the Python Backend code we need to copy the .py files over into the Docker container and use the experimental mode for Python.

By separating these steps into multiple Docker Stages we minimize the final Docker image size by excluding things such as node, wget and unzip.

Run Dependency-Check

The last line in the Dockerfile that's commented as Optional runs the Dependency-Check. If we want to run the Dependency-Check on demand outside a Pipeline we have to include this line here. It will scan all files in the directory and generate a report as HTML file.

We can also specify another Output format such as JSON, CSV, ... This may be helpful if we have an automatic Analyser in place who can process JSON or CSV files.

Jenkinsfile

If we want to include this Scan in a CI/CD Pipeline we would do it as follows in a Jenkinsfile example:

stage('Vulnerability Check') {
          stages {
            stage('OWASP dependency-check') {
              agent {
                dockerfile {
                  filename 'Dockerfile'
                }
              }
              steps {
                sh '/dependency-check/bin/dependency-check.sh --out ./report --scan /app --format HTML --format JSON --prettyPrint --enableExperimental --disableAssembly'
              }
              post {
                always {
                  archiveArtifacts "report/dependency-check-report.json"
                  archiveArtifacts "report/dependency-check-report.html"
                }
              }
            }
          }
        }
Enter fullscreen mode Exit fullscreen mode

Jenkinsfile explanation

We specify the Dockerfile to be run. Don't forget to remove the last optional line in the Dockerfile if you use this approach

Then we specify the command to be executed. The flags --format specify the outut format. The --enableExperimental flag enables python scanning.

Finally we archive the results, so that we can view them later on in Jenkins.


Output

the generated .html will list the vulnerabilities and general information about the scan

report.html view


Thank you for reading so far! :)

That's it for the little guide. If you have questions or anything is unclear feel free to leave a comment.

Also if you like this article or find it interesting be sure to leave a like or share it with people who might be interested in the topic :) It would help me a lot.

Top comments (0)