DevSecOps in Practice

OWASP Dependency-Check

In our example, we are using Python for our microservices. We used pip to install the following dependencies:

• For the menu service, we installed flask==3.1.0, psycopg2-binary==2.9.10, and flask_sqlalchemy==3.1.1.
• For the qr service, we installed flask==3.1.0 and qrcode[pil]==7.2.

For our use case, since we are using Python, we have different options; some of them are commercial solutions like Snyk, WhiteSource, and Sonatype Nexus Lifecycle, and some are open-source like Safety, Dependabot, and OWASP Dependency-Check. The latter is one of the most popular open-source tools to detect publicly disclosed vulnerabilities in application dependencies. It works by scanning your project's dependencies and checking them against the following databases and sources:

• National Vulnerability Database (NVD)
• CISA Known Exploited Vulnerability Catalog
• GitHub Advisory Database (via NPM Audit API)
• RetireJS
• Sonatype OSS Index

Understanding if our dependencies have known vulnerabilities is important for the security of our application and its ecosystem. Ideally, the tool we use to scan for vulnerabilities should be able to:

• Identify the dependencies used in the project.
• Check the dependencies against a database of known vulnerabilities.
• Provide a report with the vulnerabilities found, including CVE, CVSS, CWE, and CPE information.

Fortunately, Dependency-Check does all of this.

To see how this tool works, start by installing it on the workspace server:

# Change to the home directory
cd $HOME/

# Download the Dependency-Check tool
curl -sL \
    https://github.com/dependency-check/DependencyCheck/releases/download/v12.1.0/dependency-check-12.1.0-release.zip \
    -o /opt/dependency-check.zip

# Unzip the tool
cd /opt/ && \
apt install unzip -y && \
unzip dependency-check.zip && \
rm dependency-check.zip

# Install Java (Java 11 is now required to run dependency-check 11.0.0 or higher)
apt install openjdk-21-jre -y

Request an API key from the NVD database. Then export it as an environment variable:

cat <>~/.bashrc && source ~/.bashrc
export NVD_API_KEY=
EOF

Run the Dependency-Check tool to scan the dependencies of the menu service:

# Run the Dependency-Check tool and use the API key
/opt/dependency-check/bin/dependency-check.sh \
    --scan $HOME/RestQR/ \
    --nvdApiKey $NVD_API_KEY \
    --enableExperimental \
    --project RestQR-Menu \
    --format HTML \
    --out $HOME/dependency-check-menu

The NVD API has access to thousands of records; therefore, the first scan may take a few minutes to complete because it needs to download the latest data. Once the scan is complete, you will find an HTML report in the dependency-check-menu directory.

Create a local Python server to view the HTML report:

# Change to the dependency-check-menu directory
cd $HOME/dependency-check-menu

# Start a public server in the background
python3 -m http.server 8000 > /dev/null 2>&1 &

# Open your browser and navigate to the following URL
echo "http://$(curl -s ifconfig.me):8000"

In my case, the scanner didn't find any vulnerabilities in the dependencies; however, it detected the libraries used, and for some of them, it found the CPE (Common Platform Enumeration) of the package. For example:

• Flask-SQLAlchemy:3.1.1 has the cpe:2.3:a:sqlalchemy:sqlalchemy:3.1.1:*:*:*:*:*:*:* ID.
• psycopg2-binary:2.9.10 has the cpe:2.3:a:binary_project:binary:2.9.10:*:*:*:*:*:*:* ID.

If you don't have any vulnerabilities and want to see how the report looks when it's the case, you can install a vulnerable package like requests==2.19.1 and run the scan again:

# Activate the virtual environment
workon menu

# Install the vulnerable package
pip install requests==2.19.1

# Create the requirements file
pip freeze > $HOME/RestQR/menu/requirements.txt

# Run the Dependency-Check tool and use the API key
/opt/dependency-check/bin/dependency-check.sh \
    --scan $HOME/RestQR/ \
    --nvdApiKey $NVD_API_KEY \
    --enableExperimental \
    --project RestQR-Menu \
    --format HTML \
    --out $HOME/dependency-check-menu

After visiting the new report, you should see the following table: