Known Vulnerability Detection in Java and JavaScript code

Date posted
5 June 2019
Reading time
13 Minutes
Mark Torrens

Known Vulnerability Detection in Java and JavaScript code

Known vulnerabilities in the software you build should be tracked down and removed.  If they're not, an attacker may exploit them and steal your data.  In a recent SurveyNow commissioned survey, conducted in 2019, '57% of respondents who reported a breach, said that they were breached due to a vulnerability'. 

Equifax failed to remove known vulnerabilities in 2017 from their Apache Struts built systems and millions of their customers lost their personal data.  The problem is, it's easier said than done.  There are often other priorities on a project and to make matters worse, our software solutions are often made from many sub-projects.

Some Kainos projects make use of npm audit and OWASP dependency-check to detect known vulnerabilities in JavaScript and Java projects respectively.  We have written simple scripts to amalgamate the reports from both npm audit and dependency-check to make the job of detecting known vulnerabilities easier.  In this post, we will explain how to make use of these scripts and how to integrate them into a Jenkins pipeline to build a known vulnerability report.

You should consider how frequently you run such a report in your pipeline and if you integrate it into your daily build.  You should run such a report before every deployment to production. 

npm audit

We use npm audit to detect known vulnerabilities in JavaScript code.  npm audit can produce json output using the following syntax.

  width=

npm audit classifies vulnerabilities using the following classifications: Critical, High, Moderate, Low and Info.  Any vulnerability that is classified as Critical or High should be investigated as soon as possible. 

npm-audit-amalgamate

amalgamate.py will gather all the vulnerabilities found in a collection of npm audit json files and produce a single file which details all vulnerabilities, sorted by severity.  The image below shows an example of the file that is produced.

 /></figure>



<p>The amalgamate.py script takes the following command line
arguments.</p>



<ul><li>output, the file to output the amalgamated audit data to.</li><li>type, the type of dependencies to report audit details on.  This argument can be 'devDependencies', 'dependencies' or 'both'.</li><li>input, a comma delimited list of the audit files to amalgamate.</li></ul>



<h3>OWASP dependency-check</h3>



<p>We use OWASP dependency-check to detect known vulnerabilities in Java code that we write.  dependency-check is added to a maven pom file using the plugin snippet shown below.  The format configuration ALL, will generate html, json, xml and csv formatted reports. </p>



<figure ><img src=

dependency-check is executed as shown below.

  width=

dependency-check-amalgamate

amalgamate.py will gather all the vulnerabilities found in a collection of dependency-check json files and produce a single file that details the vulnerabilities found, sorted by severity.  The image below shows an example of the file that is produced.

 /></figure>



<p>The amalgamate.py script takes the following command line arguments.</p>



<ul><li>output, the file to output the amalgamated dependency-check data to.</li><li>input, a comma delimited list of the dependency-check files to amalgamate.</li></ul>



<h3>Jenkins Integration</h3>



<p>These scripts have real value when used in a Jenkins build pipeline.  One build job can deliver a single known vulnerability report for all your Java and JavaScript projects.  The following code snippets, written in Groovy, will help you deliver a working Jenkins pipeline.</p>



<p>Construct a list of projects that you wish to analyse.  For the sake of simplicity, we will call that list, 'projects'.  The projects list can then be iterated within the pipeline code.  </p>



<h3>Audit</h3>



<p>The audit function calls npm audit and archives the resulting output for each JavaScript project.</p>



<figure ><img src=https://www.servicenow.com/content/dam/servicenow-assets/public/en-us/doc-type/resource-center/analyst-report/ponemon-state-of-vulnerability-response.pdf

https://github.com/KainosSoftwareLtd/npm-audit-amalgamate

https://github.com/KainosSoftwareLtd/dependency-check-amalgamate

https://docs.npmjs.com/cli/audit

https://www.owasp.org/index.php/OWASP_Dependency_Check

About the author

Mark Torrens