Containerizing OWASP Dependency Check Security Tool

Introduction

OWASP Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. It can be run using Dependency Check CLI, or can be integrated to the pom.xml file as a maven plugin, or else there is a specific Maven command to run Dependency Check (DC). Here, a containerized Dependency Check security scanner is created, so that a user only has to give the zip file or the GitHub URL of a project source code. Then the container scans the source code and provides access to a generated report through an API.

Note: This container is designed to be managed by Automation Manager API. Therefore, the “user” of this container will be Automation Manager API

Docker Image

The containerized Dependency Check scanner exposes a micro service API to the outside applications. Scan can be initiated by calling the API providing GitHub URL or zip file of the project source code. Therefore, the dependencies required by the Docker image can be identified as below.

1. Base image should be Ubuntu as some Linux commands are required to be executed
2. The jar file of the micro service (this jar file is executed to start the micro service) is taken from a GitHub repository. Therefore git clone operation should be done, hence Git should be installed to the image
3. In order to execute the jar file, Maven is required. Therefore, JDK and Maven should be installed to the image
4. Maven is downloaded as wget, therefore wget is required
5. JDK is downloaded as an archive file, therefore unzip is required

Let’s get into more details

Dockerfile of Dependency Check Scanner has following specifications

• Base Image: Ubuntu 16.04
• Install wget, git, unzip
• Download and install Apache Maven 3.3.9
• Download Java: jdk 1.8 by accepting license, install and configure symbolic links for java and javac executables
• Clone Micro Service App — Static Scanner — DC jar file from GitHub
• Change work directory to the cloned repository
• Define container startup command as to execute the jar file

By building the Dockerfile, docker image with following features is created

• Ubuntu 16.04 environment, with wget, git, unzip, Java, Maven installed
• Consist with Micro Service App — Static Scanner — DC jar file, cloned from GitHub

By running the docker image with port mapping, a docker container with following features can be created

• When container starts up, Micro Service App — Static Scanner — DC jar file is executed and hosted in a predefined port. (Also the port can be manually set at the run time of the container)
• Micro Service App — Static Scanner — DC is a micro service application. Therefore, HTTP requests can be sent to extract a zip file or clone project source from Github and run Dependency Check

Dependency Check Micro Service

When a container starts up, this micro service is also started, providing an API to be called to run Dependency Check scan.

Initiating a Scan

Automation Manager uploads a zip file of the project source code or gives GitHub URL of the project source code. (If a specific branch or tag to be cloned, user has to give the URL of the specific branch or tag).

1. Validate the request.
2. If the project source code is given as a zip file, it is uploaded to the container and extract the zip file.
3. If the GitHub URL of the project source code is given, it is cloned. If a specific branch or tag to be cloned, the specific URL for the branch or tag needs to be given. Also if a private repository, username and password should be given.
4. Build the source code using Maven command -“mvn org.owasp:dependency-check-maven:check” to run Dependency Check.
5. So that, after successfully completed the build, scan reports are generated.
6. When scanning a project with multiple pom.xml files (projects with separate modules), several reports with the same name are generated inside several target directories. Therefore, all the reports are renamed and moved to a new folder.
7. After completing each task, a notification is sent back to Automation Manager. (eg: file uploaded, file extracted, cloned etc.) Therefore after the report is ready, a notification is sent to Automation Manager.
8. This micro service provides an API to get the generated report. Hence Automation Manager can call the API and get the report.

Activity Diagram of Dependency Check Micro Service