A wercker step to run the OWASP dependency-check tool standalone from the source build.
NOTE: The latest version of the dependency-check tool is downloaded to the wercker cache folder.
For more information on OWASP dependency-check tool please see the OWASP website or documentation on GitHub
The wercker box that you run your pipeline should use or extend the openjdk container from Docker Hub.
The curl and unzip utilties are also expected in order to download the binary distriubtion to the wercker cache directory.
To use the step, add the step to your pipeline (wercker.yml) with the appropriate properties, as in the example below:
steps:
- thefrogpad/owasp-dependency-check:
project: application
scan: $WERCKER_CACHE_DIR
out: $WERCKER_CACHE_DIR
format: JSON
fail_on_cvss: "11"
data: $WERCKER_CACHE_DIR/owasp/
NOTE: The fail_on_cvss parameter should be an integer value between 0 and 10, the use of 11 means that no error status will be returned from running dependency-check and the step will complete successfully even when a vulnerability is detected.
Parameters are currently limited to the following and match the OWASP dependency-check arguments:
-
project
The name of the project being scanned -
scan
The folder or file to scan for vulnerabilities -
out
The output folder to write reports -
format
The output format of the report(s) (XML, HTML, CSV, JSON, VULN, ALL) -
fail_on_cvss
If the score is set between 0 and 10 the exit code from dependency-check will indicate if a vulnerability with a CVSS score equal to or higher was identified -
data
The location of the data directory used to store persistent data that was downloaded during scanning (e.g. NVD data)
See the sample wercker application at https://github.com/thefrogpad/getting-started-java.