Apart from SAST it is a good idea to use SCA - Software Composition Analysis. It can be integrated either in SCM, or in CI.
More information for what is SCA can be found here (slide 12).
We would show 2 diferent setups. One way is to integrate into your SCM (github).
For this purpose - make account with Snyk - at snyk.io. After that, add your Webgoat forked project.
Install OWASP Dependency-Check Plugin. Configure installation in Global Tools Configuration. Use latest.
Add the dependency check step to the pipeline.
The easiest way to do it is via the dependencyCheck command:
dependencyCheck additionalArguments: 'scan="path to scan" --format HTML', odcInstallation: 'dependency-check'
The full stage looks like this:
pipeline {
agent none
stages {
// stages from previous sections
stage('SCA') {
agent any
steps {
dependencyCheck additionalArguments: ''' -o "./" -s "./" -f "ALL" --prettyPrint''', odcInstallation: 'dependency-check'
dependencyCheckPublisher (pattern: 'dependency-check-report.xml')
}
}
}
}
If you want to include publishing of the reports add this step to the pipeline:
dependencyCheckPublisher (pattern: 'dependency-check-report.xml')
The final version of the pipeline should look like this:
pipeline {
agent none
stages {
// stages from previous sections
stage('SCA') {
agent any
steps {
dependencyCheck additionalArguments: ''' -o "./" -s "./" -f "ALL" --prettyPrint''', odcInstallation: 'dependency-check'
dependencyCheckPublisher (pattern: 'dependency-check-report.xml')
}
}
}
}
In case you need additional details for the syntax of the Pipeline, the Jenkins docs are available locally at http://127.0.0.1:8080/pipeline-syntax/.
In the next section we are going to build our application.