Security scanning in CI

Security is becoming a more important aspect of development. Over the last few years, there have been numerous high profile security breaches. With this in mind, how do we ensure the software libraries we use are safe, without impacting upon the high velocity agile development process we embrace?

NVD is a database of CVE security vulnerabilities. NVD rates an issue for how dangerous the vulnerability is and how easy the vulnerability is to implement. It is an essential resource to ensure secure software.

OWASP has tools that we can run in our CI environment to check dependencies in a codebase against the NVD. Each library is identified and then checked in NVD. The output is produced in an easy to digest report.

Adding OWASP scanning to a Gradle build is very straightforward. You can reference the suppression file location and skip Gradle configurations if required. You can also set the level of vulnerability the build task will fail on.

plugins {
  id "org.owasp.dependencycheck" version "3.1.1"
}
dependencyCheck {
    skipConfigurations=['dockerJava']
    suppressionFile='dependencyCheck.xml'
    failBuildOnCVSS=1
}

To run the check:

./gradlew dependencyCheckAnalyze

If you get false positives you can suppress the reported vulnerability. This is mainly caused by incorrect dependency fingerprinting. Remember, it is always better to fix the issue than suppress it. The report can provide the xml required for the suppression file.

Adding this report into our CI process has greatly improved people’s knowledge about security vulnerabilities. This has allowed teams to become more responsible for the application stack their code is deployed on. Technology teams can create patched base images with secure OS and JVMs. Using this approach has allowed more flexibility for application teams to use lightweight embedded servers with confidence that the software is patched and secure.

Follow me on twitter @andyianriley
or see andyianriley @ linkedin.