OWASP Dependency Check is a great tool to check your third party dependencies in Java (web) applications. Besides using it as command line tool, Maven plugin or Ant task, you should integrate it all your Jenkins build jobs.
One downside is that as default, every build job downloads and regularly updates its own National Vulnerability Database file. In order to improve that, I recommend creating an update only job that runs daily. In order to do that, create a freestyle project and add Invoke OWASP Dependency-Check NVD update only as build step:
Enter a data directory which will be used by every job. This job should have a build trigger to run that job periodically (like @daily). Now save and run the job.
After that you need to activate OWASP Dependency Check on every build you like. To do that, open all job configurations and add Invoke OWASP Dependency-Check analysis as a post-build step:
Click on the Advanced button and enter the data directory configured in the update job before. Remember to activate the Disable NVD auto-update checkbox since all updates are done by the updates job. Now add Publish OWASP Dependency-Check analysis results and configure the status thresholds as you like. Since developers tend to hate failing jobs I recommend configuring warning thresholds only:
Time to save and run your job. As with any (security) scan results: these lists tend to contain false positives, verify each finding!
This configuration ensures fast job execution and minimizes the required update time for the National Vulnerability Database. Besides that, it reduces the required disk space by using only one common database.
Comments
One response to “Using OWASP Dependency Check as Jenkins plugin”
This is exactly what I do since already more than a year. I am quite happy with the tool and we spotted already some issues, where we just updated the library. Thanks for the write-up!