Software Component Analysis (SCA)

Maturity Model Level 1

What is it?

This analysis should run locally on each dev instance. How SCA tools work? SCA tools look for components/library/dependency files in the repository. Each dependency is crossed checked using its checksums with a database of vulnerable components. Every programming language has its own package/dependency manager and build tool.

Some build tools and dependency managers can be found in this table.

Language

Dependency Manager & Build tool

File

Python

pip

requirements.txt

node.js,

npm

package.json

java

rubygems

gemfile

java

maven

pom.xml

java

gradle

build.gradle

java

ant

.xml

haskell

cabal

.cabal

The tools

Fall under SAST. List available here https://analysis-tools.dev/ and here: https://github.com/analysis-tools-dev/static-analysis

CD/CI pipeline

We do not want to fail the builds in DevSecOps Maturity Levels 1 and 2. If a security tool fails a job, it won’t allow other DevOps jobs like release/deploy to run hence causing great distress to DevOps Team. Moreover, the security tools suffer from false positives. Failing a build on inaccurate data is a sure recipe for disaster. In gitlab pipelines one can use the allow_failure tag to not fail the build even though the tool found security issues.

Rule of thumb: only fail the build when CVSS score is lower than 7 and save the output preferably as JSON if available.

retire.js: usage

Retire.js is a tool to analyse components in a nodejs project, by default based on the file package.json. The juiceshop https://github.com/bkimminich/juice-shop application is based on nodejs. We'll use https://github.com/RetireJS/retire.js for SCA.

Let's play this locally: get the vulnerable web app on your machine/inside your container and enter its root folder

$ git clonehttps://github.com/bkimminich/juice-shop

$ cd juice-shop

Install node js $

$ curl -sL https://deb.nodesource.com/setup_10.x | bash - $ apt install nodejs -y

Install the SCA tool

$ npm install -g retire

Run the scanner. The scanner will then scan the javascript libraries/depencies found in the package.json file:

$ cat package.json

Before running the scan, we need to install the npm packages available in the package.json file using the npm install command.

$ npm install

Run retire and store the result in a machine readable format.

$ retire --outputformat json --outputpath output.json

If that worked, we can now integrate the scanner into our build pipeline. We need to describe the steps we did locally in the build script. Note that we did not have to get an environment to run our tool locally, since it was our local computer. If we integrate the tool in a build pipeline we should get a docker image where we can run this tool. If you want, you can test this on your local machine first and do all of steps within a docker container. In the build script you need add a step to run the specific container first.

retire.js: CD/CI integration

Integrate retirejs in the test stage of your build pipeline and allow failure. Create a .retireignore.json file in the root directory of your app if needed. If you don't have access to create it there you can pass a specific file using the option --ignorefile .myignorefile.json

Example of an integration in a gitlab CD/CI

sca-analysis:
  stage: test
    image: node:alpine3.10
    before_script:
      - npm install
      - npm install -g retire # Install retirejs npm package.
    script:
      - retire --outputformat json --outputpath retirejs-report.json --severity high --exitwith 0
    artifacts:
      paths: [retirejs-report.json]
      when: always # What is this for?
      expire_in: one week
    allow_failure: true

We allow the failure in SCA analysis.

npm: usage

NPM has security build in since npm@6, this command allows you to analyze dependencies in your existing code to identify insecure dependencies, have a good security report, and also easy to implement it into CI/CD pipeline without install any packages except NPM itself.

install npm if not done

sudo apt install npm

or update

npm install npm@latest -g

install node js

apt install nodejs -y

npm audit --json > results.json

npm: CD/CI integration

You should not run npm install before running the script because it will audit the package.js. If you want to break the build on failure you don't want to get the packages installed.

npm-audit:
  stage: test
  image: node:alpine3.10
  script:
    - npm audit --json > npm_audit_results.json
  artifacts:
    paths: [npm_audit_results.json]
    when: always
    expire_in: one week
  allow_failure: true

Safety: usage

Safety is a SCA tool for python projects. Download a vulnerable python based webapp and enter the root older of project

git clone <your vulnerable web app> | cd <the root folder>

Install safety and tun checks

pip3 install safety

tee command to store the output in a file and print out simultaneously

safety check -r requirements.txt --json | tee safety_output.json

or only store in a file

safety check -r requirements.txt --json > safety_output.json

Safety: CD/CI integration

I did the practical devsecops certification and used their docker image to solve this.

oast:
  stage: test
  script:
    # We are going to pull the hysnsec/safety image to run the safety scanner
    - docker pull hysnsec/safety
    # third party components are stored in requirements.txt for python, so we will scan this particular file with safety.
    - docker run -v $(pwd):/src --rm hysnsec/safety check -r requirements.txt --json > safety-output.json
  artifacts:
    paths: [safety-output.json]
    when: always
  allow_failure: true

If you choose to use open source scanners be sure they are safe.

How can I be sure that my open source scanner does not contain malware? Either you rely on a community or you check-out the source code yourself and analyze the code. That's what github did https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain/

OWASP Dependency Check: usage

OWASP Dependency-Check is an open-source tool that checks dependencies for vulnerabilities of java projects. The tool is available on the owasp website here: https://owasp.org/www-project-dependency-check/

Checkout a vulnerability App written in Java. https://app.gitbook.com/@mw1po/s/devsecops/~/drafts/-M_p7DakW5A1RcqLX09a/practice.-create-a-local-devsecops-environment/vulnerable-web-apps

To run the owasp tool you need the java runtime JRE on your executing machine. Install it if not existent.

wget https://github.com/jeremylong/DependencyCheck/releases/download/v6.1.6/dependency-check-6.1.6-release.zipExtract it and add the executable to the path so you can use it on the command line

export PATH=/opt/dependency-check/bin:$PATH

Run it 

dependency-check.sh --scan /webapp --format "CSV" --project "Webgoat" --failOnCVSS 8 --out /opt

OWASP Dependency Check: CD/CI integration

create a file inside the app repo and copy paste the following code to it

#!/bin/sh

DATA_DIRECTORY="$PWD/data"
REPORT_DIRECTORY="$PWD/reports"

if [ ! -d "$DATA_DIRECTORY" ]; then
  echo "Initially creating persistent directories"
  mkdir -p "$DATA_DIRECTORY"
  chmod -R 777 "$DATA_DIRECTORY"

  mkdir -p "$REPORT_DIRECTORY"
  chmod -R 777 "$REPORT_DIRECTORY"
fi

cd webgoat-container

# Make sure we are using the latest version
docker pull owasp/dependency-check

# mvn install -Dmaven.test.skip=true
docker run --rm \
  --volume $(pwd):/src \
  --volume "$DATA_DIRECTORY":/usr/share/dependency-check/data \
  --volume "$REPORT_DIRECTORY":/report \
  owasp/dependency-check \
  --scan /src \
  --format "CSV" \
  --project "Webgoat" \
  --failOnCVSS 8 \
  --out /report

You'll execute the file within the test step in the pipeline:

odc-backend:
  stage: test
  image: gitlab/dind:latest
  script:
    - chmod +x ./run-depcheck.sh
    - ./run-depcheck.sh
  artifacts:
    paths:
      - reports/dependency-check-report.csv
    when: always
    expire_in: one week

audit.js:usage

auditjs audits npm packages and identifies outdated packages using the api from Sonatype.

Installation

curl -sL https://deb.nodesource.com/setup_10.x | bash -

apt install nodejs -y && npm install -g auditjs

Running the help tells us about different scans:

Commands:
  auditjs iq [options]    Audit this application using Nexus IQ Server
  auditjs config          Set config for OSS Index or Nexus IQ Server
  auditjs ossi [options]  Audit this application using Sonatype OSS Index

But before we can run it, we need to install the dependencies of the project with

npm install

auditjs ossi -q -j | tee auditjs-output.json

audit.js: CD/CI integration

  sca-auditjs:
    stage: test
    image: node:lts-alpine3.13
    script:
      - apk add git
      - git checkout master
      - npm install -g auditjs
      - npm install
      - auditjs ossi -q -j | tee auditjs-output.json
    artifacts:
      paths: [auditjs-output.json]
      when: always
      expire_in: one week
    allow_failure: true

bundle-audit: usage

ls into the project folder of your ruby project and check the ruby version. You can use this app for testing git clone https://gitlab.practical-devsecops.training/pdso/rails.git webapp

cat Gemfile | grep "ruby"

Now install it according to your system. Don't forget to add ruby on your path with 

/webapp# export PATH="/root/.rbenv/versions/2.6.5/bin:$PATH"
/webapp# ruby --version
ruby 2.6.5p114 (2019-10-01 revision 67812) [x86_64-linux]

Then install the gem for bundle-audit

gem install --user-install bundler-audit

Add bundle-audit to the path

export PATH="~/.gem/ruby/2.6.0/bin/:$PATH"

Use it with 

bundle-audit check --format json --output bundle-audit.json

Ignore vulnerabilities with criticity high by adding .bundler-audit.yaml to the repo

---
ignore:
  - Criticality: High
  - CVE: xxxx-xxx

bundler-audit CD/CI integration

find the ruby version of your app and get a corresponding docker image on docker hub

sca-ruby-with-bundler:
  stage: test
  image: ruby:2.6.5-alpine3.11
  script:
    - apk add git
    - echo 'Checking out master branch ...'
    - git checkout master
    - echo 'Ruby version is'
    - cat Gemfile | grep "ruby"    # see ruby version
    - echo 'Installing bundler-audit sca tool...'
    - export PATH="~/.gem/ruby/2.6.0/bin:$PATH" # add ruby to the path
    - gem install --user-install bundler-audit
    - bundle-audit check --format json --output bundle-output.json # run check 
  artifacts:
    paths: [bundle-output.json]
    when: always
    expire_in: one week
  allow_failure: true

Synk

Synk is a dependency analysis tool for many languages: Ruby, Python, NodeJS, Java, Go, .NET. You need to register an account in order to use it.

Download sync at https://github.com/snyk/snyk and install it. Create an account and an auth token.

snyk auth YOUR_API_TOKEN_HERE

You can store it in the environment on your machine with

export SNYK_TOKEN=YOUR_TOKEN_HERE

In your app folder, install the dependencies and then run the scan

npm install
snyk test --json . > output.json

Synk CD/CI integration


oast-snyk:
  stage: test
  image: node:latest
  before_script:
    - wget -O snyk https://github.com/snyk/snyk/releases/download/v1.566.0/snyk-linux
    - chmod +x snyk
    - mv snyk /usr/local/bin/
  script:
    - npm install
    - snyk test --json > snyk-results.json
  artifacts:
    paths:
    - snyk-results.json
  allow_failure: true #<--- allow the build to fail but don't mark it as such

PreviousSelf-hosted DevOps CD/CI platformsNextStatic Application Security Testing (SAST)

Last updated