Integrate OWASP Dependency Check with Jenkins



In this blog, we will see how to integrate OWASP Dependency Check with Jenkins to conduct Software Composition Analysis (SCA) as part of CI on every build.

To integrate the Dependency check with Jenkins, first, we will create a parameterized freestyle project in Jenkins specifically for the Dependency Check.


Steps to create a parameterized freestyle project


Step 1: Check on New Project in Jenkins Dashboard




Step 2: Enter the name of the item, then select Freestyle project, and at last click ok



Step 3: In the Freestyle project configuration window, type the description (Optional) and enable This project is parameterized checkbox


Step 4: After enabling the parameterized checkbox, we will get the option to Add parameter, click on Add parameter button and select the string parameter




Step 5: In the String parameter form, create string parameters for Scan Path, Report Path, and Project Name.





Step 6: In the Build Step section, click on Add Build Step button and select Execute Shell




Step 7: In the Execute Shell command textbox, enter the following command to perform the following tasks

  • Download the Dependency check zip file from the Dependency check GitHub repository
  • Unzip the Dependency check archive
  • Change directory to dependency-check/bin/ folder
  • Run the Scan using dependency-check.sh script

Commands:

wget https://github.com/jeremylong/DependencyCheck/releases/download/v7.3.0/dependency-check-7.3.0-release.zip

unzip dependency-check-7.3.0-release.zip

cd dependency-check/bin/

./dependency-check.sh --project ${Project_Name} --scan ${Scan_Path} -o ${Report_Path} -f HTML --enableExperimental




Step 8: Click on Save Button to save the project.


Now we will see how to integrate the Dependency Check Freestyle project in the CI Pipeline.



Step 1: Go to the pipeline project and open the configuration.



Step 2: In the configuration page, go to the pipeline script section and define the variable and the values that we are going to pass in the Dependency check build job



Step 3: After defining the variables, create one stage for Dependency check SCA that will trigger the Dependency check freestyle project with parameters and values, also publish the HTML report in Jenkins Dashboard using the HTML Publisher plugin


stage('Dependency Check (SCA)'){

build job: 'Dependency Check (SCA)', parameters: [string(name: 'Scan_Path', value: "${DC_Scan_Path}"), string(name: 'Report_Path', value: "${DC_Report_Path}"), string(name: 'Project_Name', value: "${DC_Project_Name}")]

publishHTML([allowMissing: false, alwaysLinkToLastBuild: false, keepAll: false, reportDir: '.', reportFiles: 'dependency_check.html', reportName: 'Dependency Check Report', reportTitles: '', useWrapperFileDirectly: true])
}


Step 4: Now Save the project and trigger the build, once the build is complete, we can open the dependency check report from Pipeline Dashboard



Alternative method


We can also use the OWASP Dependency-Check Jenkins plugin to integrate Dependency Check with Jenkins.

Sahil Gupta

Application Security | DevSecOps | Secure SDLC | Penetration Tester (Web and API) | CEHv10 | IBM Certified Cybersecurity Analyst Professional

Previous Post Next Post

Contact Form