Known vulnerabilities in the software you build should be tracked down and removed. If they’re not, an attacker may exploit them and steal your data. In a recent SurveyNow commissioned survey, conducted in 2019, “57% of respondents who reported a breach, said that they were breached due to a vulnerability”.
Equifax failed to remove known vulnerabilities in 2017 from their Apache Struts built systems and millions of their customers lost their personal data. The problem is, it’s easier said than done. There are often other priorities on a project and to make matters worse, our software solutions are often made from many sub-projects.
You should consider how frequently you run such a report in your pipeline and if you integrate it into your daily build. You should run such a report before every deployment to production.
npm audit classifies vulnerabilities using the following classifications: Critical, High, Moderate, Low and Info. Any vulnerability that is classified as Critical or High should be investigated as soon as possible.
amalgamate.py will gather all the vulnerabilities found in a collection of npm audit json files and produce a single file which details all vulnerabilities, sorted by severity. The image below shows an example of the file that is produced.
The amalgamate.py script takes the following command line
- output, the file to output the amalgamated audit data to.
- type, the type of dependencies to report audit details on. This argument can be ‘devDependencies’, ‘dependencies’ or ‘both’.
- input, a comma delimited list of the audit files to amalgamate.
We use OWASP dependency-check to detect known vulnerabilities in Java code that we write. dependency-check is added to a maven pom file using the plugin snippet shown below. The format configuration ALL, will generate html, json, xml and csv formatted reports.
dependency-check is executed as shown below.
amalgamate.py will gather all the vulnerabilities found in a collection of dependency-check json files and produce a single file that details the vulnerabilities found, sorted by severity. The image below shows an example of the file that is produced.
The amalgamate.py script takes the following command line arguments.
- output, the file to output the amalgamated dependency-check data to.
- input, a comma delimited list of the dependency-check files to amalgamate.
Construct a list of projects that you wish to analyse. For the sake of simplicity, we will call that list, “projects”. The projects list can then be iterated within the pipeline code.
Join Audit Outputs
Create a comma delimited list of audit output files.
Amalgamate Audit Files
Call amalgamate.py from npm-audit-amalgamate to amalgamate all the npm audit output files. The generated report is cat’ed to the console and archived.
The dependencyCheck function runs dependency-check-maven for each Java project, renames the output file and archives it. This code handles Jenkins slaves. Be careful not to use the Groovy “File” class in Jenkins, which always tries to access files from the Jenkins master. Not that I spent hours working that out!
Join Dependency Check Outputs
Create a comma delimited list of dependency-check output files.
Amalgamate Dependency Check Files
Call amalgamate.py from dependency-check-amalgamate to amalgamate all the dependency-check output files. The generated report is cat’ed to the console and archived.
Maven File Injection
Running dependency-check depends on a maven pom file already being configured with the dependency-check plugin. One way to get around this requirement is to inject the plugin on the fly in the build job. The following steps show you how to do this.
Create a variable to hold the dependency-check plugin.
Remove an existing dependency-check plugin from a maven pom file, if it exists.
Inject the plugin variable into the pom file.
Update the pom file.
Known vulnerabilities weaken the security of your software. New vulnerabilities are detected by security researchers and used by attackers every day. Identifying and removing them does take effort, but it’s a relatively easy thing to do and makes a big difference to the security of your software.
You should also investigate other vulnerability detection tools in the market. Github.com and Snyk.io both offer tools to detect known vulnerabilities.
Using the scripts that have been shared in this blog, can help you build a single Jenkins build job that will detail the known vulnerabilities in your projects, as defined by the vulnerability databases used by both tools.
Written in conjunction with Steven Trotter, Software Engineer, Kainos.