Welcome to the second part on Dependency-Check. Please make sure that you have read part one and got a working suppression file. Otherwise, you will get a lot of vulnerabilities reported in SonarQube.
In this post, I use Visual Studio Team Services (VSTS) for my build pipeline. You can use different services to reach the same goal, but I cannot help you with them. You can find an explanation on how to set-up SonarQube with VSTS in this post.
This post is part two of a small series on finding security vulnerabilities in your project dependencies:
- Finding Security Vulnerabilities in your Dependencies with Dependency-Check
- Using Dependency-Check with VSTS and SonarQube
- Finding Security Vulnerabilities in your Project Dependencies with Audit.Net
Installation on the build server
Get the pre-compiled binaries for Dependency-Check from Bintray and extract the *.zip file into a suitable directory.
Install the SonarQube plug-in
You find the code for the SonarQube plugin on GitHub and the binaries on Bintray. Go to your SonarQube server, download the binary, copy the *.jar-file to the $SONAR_INSTALL_DIR/extensions/plugins folder and restart SonarQube.
Open SonarQube and go to the configuration page for the plug-ins in the Administration tab. Replace ${WORKSPACE} with $(System.DefaultWorkingDirectory) and save the changes:
If this property is not working, you can set it in the advances properties of the Prepare analysis on SonarQube task in your VSTS build.
Add a Batch Script task to your VSTS build
Open your build job that contains the SonarQube tasks. Between the compilation of your project and the Code Analysis for SonarQube, you add a new Batch Script task. Split the command you use to run the Dependency-Check into the path to the executable and your command line arguments:
Attention: the HTML output is needed to display the HTML report in SonarQube, while the XML output is needed to count the vulnerabilities. If you switch to ALL as the format for Dependency-Check, you get both reports at once.
Save your build and close the edit mask for your build job.
Run your build
Start your build job and wait until it finishes. It may take a few minutes, depending on how quickly it can download the vulnerabilities.
Open your project in SonarQube
Do not panic if you open your project and find thousands of reported vulnerabilities. In SonarQube 7.2 I got the number of vulnerable dependencies multiplied with the number of projects in my solution. With 26 vulnerabilities and 40 projects, I ended up with 1k of reported problems – for 26 real problems.
You find the HTML report you get from the command line in the more tab:
This report is in my opinion the best place to find the vulnerabilities. If you just care about the number, you can open the tab Measures and expand the OWASP-Dependency-Check node:
Fix the vulnerabilities
Now begins the hard work: you have to check all vulnerabilities and fix them. If you find false-positives, you can supress them (see part one for an explanation on how to do this effectively) in the next run.
Conclusion
Dependency-Check works with VSTS and SonarQube and can help you to collect known security vulnerabilities for your dependencies. It requires a lot of work at the beginning, but as soon as your supress file is up-to-date, you start saving time and detect new problems with dependencies quickly.
I have an issue where the $(System.DefaultWorkingDirectory) is not being passed correctly to the sonar scanner steps on tfs.
It is not being interpreted on on the tfs task and is being used as “$(System.DefaultWorkingDirectory)” when it should really be “D:/TfsAgent1/_work/5/s”.
Any advice or experience with this issue?Have i missed a step or do i need to escape the $(System.DefaultWorkingDirectory)?
Hi Tom,
I use this argument for my batch script task: -s relative/path/to/code/*.dll -f ALL –project “myProject ” -o $(System.DefaultWorkingDirectory)/
That works with the current version of Azure DevOps and should be the same for TFS (according to the documentation). Sorry that I can’t give a more detailed solution.
Regards
Johnny
I have followed the same steps and added a build step “OWASP dependency check” in TFS but getting an error “Could not find or load main class org.owasp.dependencycheck.App” any idea
Hi Naveen,
What did you set in the path of the Batch Script Task in TFS? Is it the bat file or something else? I use this path: C:\Tools\dependency-check\bin\dependency-check.bat and have at this location the official batch file from dependency-check.
You can go to your build server and manually start the batch file in the command line. If you start it without any parameters, it should print out the list of options. If that works it works with the batch tasks as well. Otherwise you may have an error in your path or try to call the *.jar file instead. That would explain the error and should be fixed by using the batch file instead.
Regards
Johnny