It seems like more often we hear stories of another security breach at our favorite retailer, bank, or some place that has our sensitive data. Any organization that has been entrusted to protect sensitive information should have solid security practices in place. Once a hacker has accessed your system it’s all over. The most expensive networking devices and security software can only go so far, and the smart ones know how these things work. The same applies to the third-party components you’re including in your software.
The National Vulnerability Database (NVD) has a plethora of information about known security vulnerabilities. You could have someone occasionally review the list of dependencies in your application and compare it the content in the NVD, but is that really a good use of time? What happens if that review is after that really insecure service goes to production and now all of your customer data is at risk?
Luckily there are some tools to help you catch these issues as soon as they are added to the dependencies block of your Gradle, Maven, or event Ant build. The OWASP Dependency-Check plugin allows you to scan project dependencies and compare against the published vulnerabilities in the NVD.
This is a quick and easy plugin to integrate into your CI pipeline and run for everything build. Once you add the plugin dependency to your build script, there are some configurations available to cause the build to fail. The plugin only allows for failing a build on a CVSS value threshold, but also allows for marking false positives by adding text to an XML file. If you need more detailed control or a more feature rich solution, the Sonatype Nexus Lifecycle is a great solution.
Once you’ve run the dependency scan a report is generated in HTML and is also consumable in Jenkins using the OWASP Dependency-Check Plugin. This basic scan is a quick and easy way to see where your application stands in regards to vulnerabilities from your dependencies. You don’t know what you don’t know and the hackers are going to find.