Scanning dependencies is critical from a security perspective. In todays world application dependency graphs are deeper than ever.
Referencing a paper by Jeff Williams and Arshan Dabirsiaghi.
`Eighty percent of the code in today’s applications come from libraries and frameworks.`
This just reinforces the need to check your dependencies for security issues.
The technologies covered for vulnerability scanning of dependencies presently are .Net and NodJs. The intent is to cover Java also but pipeline examples have not yet been implemented.
See these two pipelines for demo implementations.
- OWASP DC is part of the OWASP foundation which is well known, trusted and not likely to suffer from lack of contributions.
- Has a range of technologies it covers. Ant Task, CLI, Gradle plugin, Maven plugin, Jenkins plugin.
- Covers Java, JavaScript and Nuget.
- Incorporates RetireJs at least partially and will do so fully if not already.
- Jenkins plugin can produce publishable reports. See pipelines.
- Intgrates with multiple sources of vulnerability scanning and formats see features.
- OWASP DC can be a little heavy when itt downloads updates.
- Yarn and NPM are the defacto package managers for JavaScript.
- Developers know the tools and are comfortable with them.
- They do not produce any Jenkins consumable output.
- They do not support any type of thresh hold on severities.
- Third party packages can help. It is a bit of a jungle but I settled on these.
- audit-ci: Maintained by IBM. Supports both NPM and Yarn. Provides the ability to set a threshhold for builds(low,moderate,high,critical).
- yarn-audit-html and npm-audit-html: These modules can be used to produce an HTML report that can be published in Jenkins.
- The results between Yarn and NPM audit are different.
- Snyk CLI could be a way to a more cohesive set of tools.
- Provides a free tier but included mainly for completeness.
- Has a Jenkins plugin.
- Produces html which publishes nicely in Jenkins.
- Provides a centralized Dashboard for an overview of security issues.
- Real benefits need a paid account as a lot of features are missing from free tier.
I would go with OWASP DC as the main tool for scanning vulnerabilties in dependecies. It covers the most ground, is relatively CI/CD friendly and although nothing is guaranteed a good bet for the future.
Yarn and NPM Audit are viable options as they are well know by developers. They are limited from a CI/CD perspective but can be used in a limited fashion.