I will start this blog post with what is OWASP? And I will continue with OWASP Top 10 known security vulnerabilities. I will provide an example pipeline that has OWASP Dependency Check on Azure DevOps.
Globally recognized by developers as the first step towards more secure coding.
Next OWASP Top 10 will be published this year 2025. It seems they have 4 years of cycle for it. OWASP Top 10 websites https://owasp.org/Top10/, https://www.owasptopten.org/ and Github repo is https://github.com/OWASP/Top10.
What is OWASP Dependency Check?
OWASP Dependency Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project's dependencies.
Dependency-Check is a software composition analysis utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. Currently, Java and .NET are supported; additional experimental support has been added for Ruby, Node.js, Python, and limited support for C/C++ build systems (autoconf and cmake). The tool can be part of a solution to the OWASP Top 10 2017 A9-Using Components with Known Vulnerabilities previously known as OWASP Top 10 2013 A9-Using Components with Known Vulnerabilities.
The OWASP Dependency Check Azure DevOps Extension enables the following features in an Azure Build Pipeline:
- Software composition analysis runs against package references during build on both Windows and Linux build agents.
- Export vulnerability data to HTML, JSON, XML, CSV, JUnit formatted reports
- Download vulnerability reports from the build's artifacts
The OWASP Dependency Check Azure DevOps Extension can be added to your AzureDevops organization from this link https://marketplace.visualstudio.com/items?itemName=dependency-check.dependencycheck Github repos is https://github.com/dependency-check/azuredevops It is a free tool.
I searched OWASP Dependency Check Azure DevOps Extension and added to my Azure DevOps organization.
It is better to request NVD API key https://nvd.nist.gov/developers/api-key-requested After filling the form they will send you API Key via e-mail. It took over 15 min to run OWASP dependency check without NVD API key. Adding API shortened the OWASP Dependency Check runtime.
After adding extension, first I added Dependency Task to my WinampToSpotify Classic Pipeline. From Classic Pipeline Editor search for dependency and click add to the pipeline.
OWASP Dependency Check currently using .Net 8 so make sure your pipeline includes .Net 8 with Use Dotnet Task with version "8.x".
It took 3 minutes 22 seconds to finish Dependency Check.
From Classic Pipeline we can see yaml version of OWASP Dependency check.
For yaml pipeline we need to store NVD API Key as secret variable not to reveal sensitive information outside. We can reach this secret variable with $(myNvdApiKey) in yaml file.
You can see below yaml changes to add OWASP Dependency. First task is to include .Net 8. Second task is dependency check task.
- task: UseDotNet@2
displayName: 'Use .NET Core sdk 8.x'
inputs:
version: 8.x
- task: dependency-check.dependencycheck.dependency-check-build-task.dependency-check-build-task@6
displayName: 'Dependency Check'
inputs:
projectName: WinamptoSpotifyWeb
scanPath: WinamptoSpotifyWeb
nvdApiKey: $(myNvdApiKey)
Successful yaml based pipeline run can be seen above. Yaml file is here https://github.com/atahanceylan/WinamptoSpotifyWeb/blob/master/WinamptoSpotify.yml if you want to have a look.
Dependency check report can be found under Artifacts. I created report with HTML format. But it supports HTML, JSON, XML, CSV, JUnit formats as well.
Report html can be viewed via browser. Report can be found https://github.com/atahanceylan/WinamptoSpotifyWeb/blob/master/dependency-check-report.html
References:
Top comments (0)