Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space DTPDEVEL and version 2024.1

...

  • Java Runtime 11.
  • X-Server access (Linux only). The DISPLAY variable variable must be set, and access control must be disabled for the xhost command (run xtest xhost +). This is required to ensure that overview images in HTML reports display correctly.
  • OWASP Dependency-Check results in XML format. See the OWASP Dependency-Check documentation for details.
  • Analysis from OWASP Dependency-Check 8Check 10.0.2 .1 is supported.

Deployment

  1. Extract the dependency-check-pack-<version><VERSION>.zip file distribution to the desired location. Some extractor tools, such as the default Windows extractors, will create a directory for the dependency check pack files. We recommend creating an installation home directory if your tool does not automatically create a directory to hold the extracted files. 
  2. Follow the instructions for installing Security Compliance Pack into your DTP environment. This step is not required to run the OWASP Dependency-Check Pack, but it is required for viewing results in DTP.

...

For DTP to display the OWASP Dependency-Check rule documentation, the rules shipped with the OWASP Dependency-Check Pack must be copied to the DTP rules directory. 

Copy the contents of the <DEPENDENCY_CHECK_INSTALL>/rulesdoc/dependencycheck/ directory to the <DTP_INSTALL>/tomcat/webapps/grs/rulesdoc/ directory.

After copying the rules, documentation associated with OWASP Dependency-Check violations will be available in DTP interfaces, such as the Documentation tab of the Violations Explorer. 

End User License Agreement Acceptance

Set the following property to accept the Parasoft End User License Agreement (please read the EULA at https://www.parasoft.com/license):

Code Block
titleEULA
parasoft.eula.accepted=true

Connecting to DTP

The OWASP Dependency-Check Pack Check Pack is a separate tool and must connect to DTP to acquire a license and to send results to your DTP project. Specify the following settings in the settings.properties file file located in the installation directory:.

dtp.

...

urlSpecifies

...

 the URL to your DTP server.

...

dtp.port

...

Remember to include the https:// protocol; DTP requires https:// connections from other Parasoft tools.
dtp.userSpecifies the

...

username for DTP authentication.
dtp.password

Specifies the user password for DTP authentication. You can encode your DTP password by running the dependency.sh or dependency.bat with the -encodepass parameter. For example:

./dependencycheck.sh -encodepass=

...

<MYPASSWORD>

dtp.project

Specifies the name of the existing DTP project that you want to link to. 

build.id

Specifies the build that the data should be associated with. For accurate results, the build ID should match the build ID configured in your static analysis

...

tool. 

Usage

If you have not already done so, execute OWASP Dependency-Check. The results should be output to an XML file. To send these results to Parasoft DTP using OWASP Dependency-Check Pack:

  1. Open a command prompt and navigate to the OWASP Dependency-Check Pack installation directory.
  2. Execute the .BAT or .SH script with specifying the OWASP Dependency-Check results using the -results.file parameter, e.g. parameter, for example:

    No Format
    ./dependencycheck.sh -results.file="/Users/admin/Desktop/dependency_check.xml"

    The -results.file is the only required parameter, but you can pass the following optional parameters:

    -parasoft.local.storage.dir: This settings setting specifies the location for generated log files. The recommended location is is ${project.base.dir}/.dependencycheck. For example:

    -parasoft.local.storage.dir=.dependencycheck

    -settings: By default, the OWASP Dependency-Check Pack will reference the settings.properties file in the installation directory, but you can use this setting to point to alternate configuration files. Example:

    -settings=C:\my-team-configs\my-settings.properties

...

  • As local Parasoft HTML reports. The local HTML report (and XML data that feeds the report) are saved to the <INSTALL> <DTP_INSTALL>/reports directory after execution.
  • Sent to DTP and presented in widgets, reports, and other visualizations. Vulnerabilities are reported in DTP as violations of the OWASP Top 10 2021 A6: Vulnerable and Outdated Components guideline. See OWASP Compliance for details on viewing violations in DTP.

...