...
Vulnerabilities are reported in DTP as violations of the OWASP Top 10 2013 entry: A9 Using Components with Known Vulnerabilities 2021 A6: Vulnerable and Outdated Components guideline. Merging the OWASP Dependency Check Pack data with code analysis results from Parasoft Jtest or dotTEST enables the full implementation of your OWASP security compliance compliance initiative.
Requirements
...
- Extract the contents of the security-bundle-<version>.zip file, which contains the dependency-check-<version>.zip and security-compliance-pack-<version>.zip files.
- Extract the dependency-check-pack-<version>.zip file distribution to the desired location. Some extractor tools, such as the default Windows and MacOS extractors, will create a directory for the dependency check pack files. We recommend creating an installation home directory if your tool does not automatically create a directory to hold the extracted files.
- Follow the instructions for installing Security Compliance Pack into your DTP environment. This step is not required to run the OWASP Dependency Check Pack, but it is required for viewing results in DTP.
...
If you have not already done so, execute OWASP dependency-check. The results should be output to an XML file. To send these results to Parasoft DTP using OWASP Dependency Check Pack:
- Open a command prompt and navigate to the OWASP Dependency Check Pack installation directory.
Execute the .BAT or .SH script with specifying the OWASP dependency-check results using the
-results.fileparameter, e.g.:No Format ./dependencycheck.sh -results.file="/Users/admin/Desktop/dependency_check.xml"
...
The
-results.fileis the only required parameter, but you can pass the following optional parameters:-parasoft.local.storage.dir
This settings specifies the location for generated log files. The recommended location is
${project.base.dir}/.dependencycheck.For example:
-parasoft.local.storage.dir=.dependencycheck-settings
By default, the OWASP Dependency Check Pack will reference the settings.properties file in the installation directory, but you can use this setting to point to alternate configuration files. Example:
-settings=C:\my-team-configs\my-settings.properties
| Anchor | ||||
|---|---|---|---|---|
|
After executing the OWASP Dependency Check Pack, results are output in two ways:
- As local Parasoft HTML reports. The local HTML report (and XML data that feeds the report) are saved to the <INSTALL>/reports directory after execution.
- Sent to DTP and presented in widgets, reports, and other visualizations. Vulnerabilities are reported in DTP as violations of the OWASP Top 10 2013 entry: A9 Using Components with Known Vulnerabilities guideline. See 2021 A6: Vulnerable and Outdated Components guideline. See OWASP Compliance for details on viewing violations in DTP.
Sending Results to DTP as OWASP Top 10 2017
As mentioned under Viewing Results above, after executing the OWASP Dependency Check Pack, results are sent to DTP as violations of the OWASP Top 10 2021 A6: Vulnerable and Outdated Components guideline, but you can change this to send them as violations of the OWASP Top 10 2017 A9: Using Components with Known Vulnerabilities guideline instead. To do so, edit the <dependency check pack install folder>\etc\dependencycheck-settings.properties file in the following manner:
Uncomment the following line:
| Code Block | ||
|---|---|---|
| ||
rules.provider_dependencycheck.data=${env_var:ANALYZER_HOME}/rules/builtin/dependencycheck-owasp-2017-A9-rulesmap.xml |
Comment out the following line:
| Code Block | ||
|---|---|---|
| ||
rules.provider_dependencycheck.data=${env_var:ANALYZER_HOME}/rules/builtin/dependencycheck-owasp-2021-A6-rulesmap.xml |