Dependency Vulnerabilities

The Dependency Vulnerabilities bundled plugin integrates the Open Web Application Security Project (OWASP) dependency-check tool for scanning Java, .NET, and Python applications and their dependent libraries. Use this plugin to identify vulnerable dependencies in the analyzed stream.

Prerequisites

The dependency-check library is embedded in the Dependency Vulnerabilities plugin. However, the plugin relies on data from the National Vulnerabilities Database (NVD) website to find vulnerabilities and requires access to the internet to download and update data.

On the first run, the plugin creates:

  • The directory:

    ${dataDir}/conf/experts/com.serena.starlight/dependencyvulnerabilities/data/

  • The cve.2.9.h2.db file that is updated from the Common Vulnerabilities and Exposures (CVE) data. Each run automatically updates the CVE data if the autoupdate property in the properties file is set to true.

Back to top

Create server configuration file

The properties file is optionally located in:

${dataDir}/conf/experts/com.serena.starlight/dependencyvulnerabilities/dependencycheck-pulse-expert.properties.

The file contains configuration properties for both the Dependency Vulnerabilities plugin and its embedded dependency-check library. Create this file only if you need to override one of the default values.

Property Description
pulseWarningCvssThreshold

(Optional) Vulnerabilities with a CVSS score less than the specified value are treated as a WARNING.

Default value: 4.0
pulseErrorCvssThreshold

Vulnerabilities with a CVSS score less than the specified value are treated as an ERROR. The value must be bigger than that specified for pulseWarningCvssThreshold.

Default value: 7.0
pulseAutoUpdate

Automatically updates the CVE data. The possible values are:

  • ALWAYS (default)
  • NEVER
  • ON_NEED

Note: All vulnerabilities with a CVSS score higher than that specified for pulseErrorCvssThreshold are treated as FATAL. You must configure both, or none, of these properties.

Back to top

Configure plugin settings

Because the dependency-check analyzers operate on binary files, add the Dependency Vulnerabilities plugin to a chain that populates a workspace with build artifacts.

When you add the Dependency Vulnerabilities plugin step to a chain, specify the following configuration details:

Field Description
Title Enter a name for the step. Default: Dependency Vulnerabilities.
Application name Enter the application name to be displayed in the report file, for example, My-App.
Include patterns (Optional) To inspect only specific files, enter one or more Ant patterns, one pattern per line. To inspect all files, leave this field empty.
Exclude patterns (Optional) To exclude specific files from being inspected, enter one or more Ant patterns, one pattern per line. To inspect all files, leave this field empty.
Suppression file

(Optional) Enter the relative path in the stream to the suppression file, for example:

conf/suppression.xml

CVE Suppression List

(Optional) Enter a comma-separated list of CVE IDs to suppress, for example:

CVE-2008-0732,CVE-2011-5034

Enable Archive analyzer Scan these files types: ZIP, EAR, WAR, JAR, SAR, APK, NUPKG, TAR, GZ, TGZ
Enable Jar analyzer Scan these files types: JAR, WAR
Enable Assembly analyzer Scan these files types: EXE, DLL
Enable Nuspec analyzer Scan the .nuspec file type.
Enable Python package analyzer Scan these files types: PKG-INFO, METADATA
Enable Python distribution analyzer Scan these files types: PY, WHL, EGG, ZIP
Enable CMaker analyzer Scan these files types: CMakeLists.txt, *.cmake
Enable NodeJS analyzer Scan this file type: package.json
Enable OpenSSL analyzer Scan this file type: opensslv.h
Enable Ruby analyzer Scan these files types: rakefile, *.gemspec
Enable Composer Lock analyzer Scan this file type: composer.lock
Enable Autoconf analyzer Scan these files types: configure, configure.in, configure.ac
Enable Cocoapods analyzer Scan CocoaPods specification files to analyze Swift and Objective-C packages.
Enable Swift Package Manager analyzer Scan this file type: package.swift
Unstable threshold

Set the threshold score for unstable result, for example, 7.0.

If there are vulnerabilities with a CVSS score higher than the value you specify, the plugin reports and UNSTABLE result. If you set no value, the result is SUCCESS.
Failure threshold

Set the threshold score for failure, for example, 9.0.

If there are vulnerabilities with a CVSS score higher than the value you specify, the plugin reports a FAILURE. If you set no value, the result is SUCCESS.

Automatically update CVE DB

Select an update option for the CVE database:

  • Never. Never check for updates.
  • On need. Download only if no database is present when the plugin is initialized.
  • Always (default). Check for available updates before the plugin runs.

After running the chain, you can view findings in reviews and on the chain run pages. One finding per vulnerability is displayed, and there can be multiple vulnerabilities for each dependency. Each finding contains the ID of the vulnerability and the name of the dependency where it was found. A report file can be viewed from the Review page.

The Dependency Vulnerabilities plugin may report false-positive dependencies. For example, you consume a vulnerable library but you do not use the vulnerable functionality, or the vulnerability only applies in circumstances that does not apply to you. You can suppress any CVE by passing the suppression XML file with CVE suppressions (Suppression file property) or the CVE ID list (CVE suppression list property).

For more details about the tool, see the OWASP Dependency-Check help.

Back to top

See also: