Dependency Vulnerabilities

The Dependency Vulnerabilities bundled plugin integrates the Open Web Application Security Project (OWASP) dependency-check tool for scanning Java, .NET, and Python applications and their dependent libraries. Use this plugin to identify vulnerable dependencies in the analyzed stream/branch.

Prerequisites

The dependency-check library is embedded in the Dependency Vulnerabilities plugin. But the plugin relies on data from the National Vulnerabilities Database (NVD) website to find vulnerabilities, and requires access to the internet to download and update data.

On the first run, the plugin creates:

  • The data directory:

    <pulse_data>/conf/experts/com.serena.starlight/dependencyvulnerabilities/data/

  • The cve.2.9.h2.db file that is updated from the Common Vulnerabilities and Exposures (CVE) data. Each run automatically updates the CVE data if the autoupdate property in the properties file is set to true.

Back to top

Configure the plugin

Because the dependency-check analyzers operate on binary files, add the Dependency Vulnerabilities plugin to a chain that populates a workspace with build artifacts.

To configure the Dependency Vulnerabilities step:

  1. Add the Dependency Vulnerabilities step to a chain, as described in Create chains.

  2. Enter the plugin configuration details:

    Field Description
    Title Enter a name for the plugin step or accept the default name.
    Application name Enter the application name to be displayed in the report file, for example, My-App.
    Include patterns (Optional) To inspect only specific files, enter one or more Ant patterns, one pattern per line. To inspect all files, leave this field empty.
    Exclude patterns (Optional) To exclude specific files from being inspected, enter one or more Ant patterns, one pattern per line. To inspect all files, leave this field empty.
    Suppression file

    (Optional) Enter the relative path in the stream to the suppression file, for example:

    conf/suppression.xml

    CVE Suppression List

    (Optional) Enter a comma-separated list of CVE IDs to suppress, for example:

    CVE-2008-0732,CVE-2011-5034

    Enable Archive analyzer Scan these files types: .zip, .ear, .war, .jar, .sar, .apk, .nupkg, .tar, .gz, .tgz
    Enable Jar analyzer Scan these files types: .jar, .war
    Enable Assembly analyzer Scan these files types: .exe, .dll
    Enable Nuspec analyzer Scan the .nuspec file type.
    Enable Python package analyzer Scan these files types: PKG-INFO, METADATA
    Enable Python distribution analyzer Scan these files types: .py, .whl, .egg, .zip
    Enable CMaker analyzer Scan these files types: CMakeLists.txt, *.cmake
    Enable NodeJS analyzer Scan this file type: package.json
    Enable OpenSSL analyzer Scan this file type: opensslv.h
    Enable Ruby analyzer Scan these files types: rakefile, *.gemspec
    Enable Composer Lock analyzer Scan this file type: composer.lock
    Enable Autoconf analyzer Scan these files types: configure, configure.in, configure.ac
    Enable Cocoapods analyzer Scan CocoaPods specification files to analyze Swift and Objective-C packages.
    Enable Swift Package Manager analyzer Scan this file type: package.swift
    Unstable threshold

    Set the threshold score for unstable result, for example, 7.0.

    If there are vulnerabilities with a CVSS score higher than the value you specify, the plugin reports and UNSTABLE result. If you set no value, the result is SUCCESS.
    Failure threshold

    Set the threshold score for failure, for example, 9.0.

    If there are vulnerabilities with a CVSS score higher than the value you specify, the plugin reports a FAILURE. If you set no value, the result is SUCCESS.

    Automatically update CVE DB

    Select an update option for the CVE database:

    • Never. Never check for updates.
    • On need. Download only if no database is present when the plugin is initialized.
    • Always (default). Check for available updates before the plugin runs.

After running the chain, you can inspect findings in reviews and on the chain run pages. One finding per vulnerability is displayed, and there can be multiple vulnerabilities for each dependency. Each finding contains the ID of the vulnerability and the name of the dependency where it was found. On the Review page, you can view a report file. For details, see Inspect chain runs in reviews.

The Dependency Vulnerabilities plugin may report false-positive dependencies. For example, you consume a vulnerable library but you do not use the vulnerable functionality, or the vulnerability only applies in circumstances that does not apply to you. You can suppress any CVE by passing the suppression XML file with CVE suppressions (Suppression file property) or the CVE ID list (CVE suppression list property).

For more details about the tool, see the OWASP Dependency-Check help.

Back to top

See also: