The Dependency Vulnerabilities bundled plugin integrates the Open Web Application Security Project (OWASP) dependency-check tool for scanning Java, .NET, and Python applications and their dependent libraries. Use this plugin to identify vulnerable dependencies in the analyzed stream/branch.
The dependency-check library is embedded in the Dependency Vulnerabilities plugin. But the plugin relies on data from the National Vulnerabilities Database (NVD) website to find vulnerabilities, and requires access to the internet to download and update data.
On the first run, the plugin creates:
The data directory:
The cve.2.9.h2.db file that is updated from the Common Vulnerabilities and Exposures (CVE) data. Each run automatically updates the CVE data if the autoupdate property in the properties file is set to true.
Create server configuration file
The properties file is optionally located in:
The file contains configuration properties for both the Dependency Vulnerabilities plugin and its embedded dependency-check library. Create this file only if you need to override one of the default values.
(Optional) Vulnerabilities with a CVSS score less than the specified value are treated as a WARNING.
Default value: 4.0
Vulnerabilities with a CVSS score less than the specified value are treated as an ERROR. The value must be bigger than that specified for pulseWarningCvssThreshold.
Default value: 7.0
Automatically updates the CVE data. The possible values are:
Note: All vulnerabilities with a CVSS score higher than that specified for pulseErrorCvssThreshold are treated as FATAL.
You must configure both, or none, of these properties.
Configure plugin settings
Because the dependency-check analyzers operate on binary files, add the Dependency Vulnerabilities plugin to a chain that populates a workspace with build artifacts.
When you add the Dependency Vulnerabilities plugin step to a chain, specify the following configuration details:
|Title||Enter a name for the step. Default: Dependency Vulnerabilities.|
|Application name||Enter the application name to be displayed in the report file, for example, My-App.|
|Include patterns||(Optional) To inspect only specific files, enter one or more Ant patterns, one pattern per line. To inspect all files, leave this field empty.|
|Exclude patterns||(Optional) To exclude specific files from being inspected, enter one or more Ant patterns, one pattern per line. To inspect all files, leave this field empty.|
(Optional) Enter the relative path in the stream to the suppression file, for example:
|CVE Suppression List||
(Optional) Enter a comma-separated list of CVE IDs to suppress, for example:
|Enable Archive analyzer||Scan these files types: ZIP, EAR, WAR, JAR, SAR, APK, NUPKG, TAR, GZ, TGZ|
|Enable Jar analyzer||Scan these files types: JAR, WAR|
|Enable Assembly analyzer||Scan these files types: EXE, DLL|
|Enable Nuspec analyzer||Scan the .nuspec file type.|
|Enable Python package analyzer||Scan these files types: PKG-INFO, METADATA|
|Enable Python distribution analyzer||Scan these files types: PY, WHL, EGG, ZIP|
|Enable CMaker analyzer||Scan these files types: CMakeLists.txt, *.cmake|
|Enable NodeJS analyzer||Scan this file type: package.json|
|Enable OpenSSL analyzer||Scan this file type: opensslv.h|
|Enable Ruby analyzer||Scan these files types: rakefile, *.gemspec|
|Enable Composer Lock analyzer||Scan this file type: composer.lock|
|Enable Autoconf analyzer||Scan these files types: configure, configure.in, configure.ac|
|Enable Cocoapods analyzer||Scan CocoaPods specification files to analyze Swift and Objective-C packages.|
|Enable Swift Package Manager analyzer||Scan this file type: package.swift|
Set the threshold score for unstable result, for example, 7.0.
If there are vulnerabilities with a CVSS score higher than the value you specify, the plugin reports and UNSTABLE result. If you set no value, the result is SUCCESS.
Set the threshold score for failure, for example, 9.0.
If there are vulnerabilities with a CVSS score higher than the value you specify, the plugin reports a FAILURE. If you set no value, the result is SUCCESS.
Automatically update CVE DB
Select an update option for the CVE database:
After running the chain, you can view findings in reviews and on the chain run pages. One finding per vulnerability is displayed, and there can be multiple vulnerabilities for each dependency. Each finding contains the ID of the vulnerability and the name of the dependency where it was found. A report file can be viewed from the Review page.
The Dependency Vulnerabilities plugin may report false-positive dependencies. For example, you consume a vulnerable library but you do not use the vulnerable functionality, or the vulnerability only applies in circumstances that does not apply to you. You can suppress any CVE by passing the suppression XML file with CVE suppressions (Suppression file property) or the CVE ID list (CVE suppression list property).
For more details about the tool, see the OWASP Dependency-Check help.