Skip to content

Enabled external database support in OWASP Dependency Check. #158

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bobthesecurityguy wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Enabled external database support in OWASP Dependency Check. #158

bobthesecurityguy wants to merge 1 commit into from

Conversation

@bobthesecurityguy
Copy link
Contributor

@bobthesecurityguy bobthesecurityguy commented Apr 9, 2019

  • Updated OWASP Dependency Check task to parse options for external CVE database.
  • Added PostgreSQL plugin to docker image to allow use of external Postgres databases in Docker image.

This enables glue to optionally use a separate, persistent database for OWASP Dependency Check. Doing so enables the use of this task from the Glue docker image (or other Glue system of your choice) without needing to download and process the CVE lists on each run and without baking the database into the image. OWASP Dependency Check does not automatically initialize the appropriate tables, so the external database must be initialized out-of-band using the SQL scripts from the upstream Dependency Check repository.

This can be used in commands like: glue --owasp-db-driver-name org.postgresql.Driver --owasp-db-connection-string jdbc:postgresql://dependencycheck-postgresql.svc.cluster.local/dependencycheck --owasp-db-user dependencycheck --owasp-db-pass $OWASP_DB_PASS -t OWASPDependencyCheck .

@bobthesecurityguy
Enabled external database support in OWASP Dependency Check. Updated …
f1a1871 
…OWASP Dependency Check task to parse options for external CVE database. Added PostgreSQL plugin to docker image to allow use of external Postgres databases if glue is spun up in a CI pipeline.
@omerlh
Copy link
Collaborator

omerlh commented Apr 10, 2019

That sounds heavy - I would recommend using the dynamic task for that. This will allow you to use dependency check however you want :)

@bobthesecurityguy
Copy link
Contributor Author

bobthesecurityguy commented Apr 10, 2019

I'm not sure I understand your comment. "heavy" in what way? Is this an issue with the flags, with the inclusion of the Postgres plugin in the docker image, or both?

Re-implementing the existing Dependency Check report parser as a dynamic task mapping sounds much more complicated to me than adding a couple of flags that get passed directly through to the scanner.

@omerlh
Copy link
Collaborator

omerlh commented Apr 10, 2019

It's just my personal point of view. I said heavy because this makes the image larger, and also add more features to tests. I'm against it, but if you are willing to go this route - I'll appreciate if you can add a test or 2, just to ensure the correct arguments are added. The test coverage is not amazing, but I want to make it better.

@stale
Copy link

stale bot commented Jun 9, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Jun 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bobthesecurityguy @omerlh