Skip to content

Latest commit

 

History

History

03-add-SCA

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 

03. Software Composition Analysis

Apart from SAST it is a good idea to use SCA - Software Composition Analysis. It can be integrated either in SCM, or in CI.

More information for what is SCA can be found here (slide 12).

We would show 2 diferent setups. One way is to integrate into your SCM (github).

For this purpose - make account with Snyk - at snyk.io. After that, add your Webgoat forked project.

Alternatively, you can add SCA tool to your pipline.

Install OWASP Dependency-Check Plugin. Configure installation in Global Tools Configuration. Use latest.

Add the dependency check step to the pipeline.

The easiest way to do it is via the dependencyCheck command:

dependencyCheck additionalArguments: 'scan="path to scan" --format HTML', odcInstallation: 'dependency-check'

The full stage looks like this:

pipeline {
    agent none

    stages {
        // stages from previous sections

        stage('SCA') {
            agent any

            steps {
               dependencyCheck additionalArguments: ''' -o "./" -s "./" -f "ALL" --prettyPrint''', odcInstallation: 'dependency-check'
               dependencyCheckPublisher (pattern: 'dependency-check-report.xml')
            }
        }
    }
}

If you want to include publishing of the reports add this step to the pipeline:

dependencyCheckPublisher (pattern: 'dependency-check-report.xml')

The final version of the pipeline should look like this:

pipeline {
    agent none

    stages {
        // stages from previous sections

        stage('SCA') {
            agent any

            steps {
               dependencyCheck additionalArguments: ''' -o "./" -s "./" -f "ALL" --prettyPrint''', odcInstallation: 'dependency-check'
               dependencyCheckPublisher (pattern: 'dependency-check-report.xml')
            }
        }
    }
}

In case you need additional details for the syntax of the Pipeline, the Jenkins docs are available locally at http://127.0.0.1:8080/pipeline-syntax/.

In the next section we are going to build our application.