Dependency Check at CI/CD Pipeline
We as a team make an effort to improve our CI/CD pipeline processes. For that reason, we change our pipeline steps when necessary and try new ideas. In this article, I will talk about a tool we added to our Gitlab CI/CD pipeline in one of our Java projects.
The versions of the dependencies we use in our projects are important. As time passes, it can be important to keep track of the versions of the dependencies we use and update them to the current version. For this reason, we decided to use the OWASP Dependency-Check tool developed by OWASP.
Dependency-Check tool can be added to your Java projects as a Maven or Gradle plugin. Dependency-Check analyses the dependencies in your project in the published vulnerability database and provides you a report. In this report, it is written in detail the list of vulnerabilities in the dependencies you use, what the vulnerabilities are and which versions are. You can update the suggested changes and run the tool again to see changes. For example, when we added it to the pipeline in one of our projects, it generated a report as follows. Here it writes in detail according to the vulnerabilities levels.
It also provides detailed explanations about the vulnerability and solution methods for you in the other parts of this report. We can create a vulnerability report with Dependency Check. However, it is not very effective to use in the local environment. Running it can be forgotten or not everyone may run it before committing. That’s why we added this to our CI/CD pipeline. We were already passing our code through SonarQube control during our pipeline steps. Thanks to the SonarQube plugin of the tool, we can view this generated report directly on the SonarQube and pipeline may fail when security level is below a certain quality rules we set.
The report is created during the build phase and sent to SonarQube together with the sonar report. At the Sonar Check stage, if it can not pass through the Sonar Quality Gate we have determined, our step fails. In this way, we understand that there is a situation we need to check.
It shows our current security rating and vulnerabilities in the SonarQube dashboard.
For example, in this project, when we up-to-date the dependencies and run the pipeline again, we raised our security rating to ‘A’.
Bonus -1
There may be some dependencies that you do not want to upgrade. Maybe you have to use it because of another dependency, or you may not want to risk upgrading because you have been using it for a long time. Dependency Check allows you to exclude the dependency you want from the analysis with the suppression file. Here is more detail.
Bonus -2
You may be concerned that a tool like Dependency-Check will cause extra time in CI/CD pipeline. Because it downloads and scans the historical dependency database. For this reason, it warns about the time in its documentation. Some techniques can be used to overcome this. The first technique that you can scan with a scheduled job without adding it directly to the pipeline. Another option is to save this time by caching your dependencies in pipeline. Dependency Check downloads the necessary files to the .m2 folder where maven dependencies are downloaded. We use Gitlab CI/CD and Gitlab provides a caching mechanism. In this way, you can save an extra 2–3 minutes with the cache.
Thanks to Sedef Tulum for her support in the integration of the tool.
