Blog
Known Vulnerability Detection in Java and JavaScript code
05 June 2019 | Posted by Mark Torrens

Known vulnerabilities in the software you build should be tracked down and removed.  If they’re not, an attacker may exploit them and steal your data.  In a recent SurveyNow commissioned survey, conducted in 2019, “57% of respondents who reported a breach, said that they were breached due to a vulnerability”. 

Equifax failed to remove known vulnerabilities in 2017 from their Apache Struts built systems and millions of their customers lost their personal data.  The problem is, it’s easier said than done.  There are often other priorities on a project and to make matters worse, our software solutions are often made from many sub-projects.

Some Kainos projects make use of npm audit and OWASP dependency-check to detect known vulnerabilities in JavaScript and Java projects respectively.  We have written simple scripts to amalgamate the reports from both npm audit and dependency-check to make the job of detecting known vulnerabilities easier.  In this post, we will explain how to make use of these scripts and how to integrate them into a Jenkins pipeline to build a known vulnerability report.

You should consider how frequently you run such a report in your pipeline and if you integrate it into your daily build.  You should run such a report before every deployment to production. 

npm audit

We use npm audit to detect known vulnerabilities in JavaScript code.  npm audit can produce json output using the following syntax.

npm audit classifies vulnerabilities using the following classifications: Critical, High, Moderate, Low and Info.  Any vulnerability that is classified as Critical or High should be investigated as soon as possible. 

npm-audit-amalgamate

amalgamate.py will gather all the vulnerabilities found in a collection of npm audit json files and produce a single file which details all vulnerabilities, sorted by severity.  The image below shows an example of the file that is produced.

The amalgamate.py script takes the following command line
arguments.

  • output, the file to output the amalgamated audit data to.
  • type, the type of dependencies to report audit details on.  This argument can be ‘devDependencies’, ‘dependencies’ or ‘both’.
  • input, a comma delimited list of the audit files to amalgamate.

OWASP dependency-check

We use OWASP dependency-check to detect known vulnerabilities in Java code that we write.  dependency-check is added to a maven pom file using the plugin snippet shown below.  The format configuration ALL, will generate html, json, xml and csv formatted reports.

dependency-check is executed as shown below.

dependency-check-amalgamate

amalgamate.py will gather all the vulnerabilities found in a collection of dependency-check json files and produce a single file that details the vulnerabilities found, sorted by severity.  The image below shows an example of the file that is produced.

The amalgamate.py script takes the following command line arguments.

  • output, the file to output the amalgamated dependency-check data to.
  • input, a comma delimited list of the dependency-check files to amalgamate.

Jenkins Integration

These scripts have real value when used in a Jenkins build pipeline.  One build job can deliver a single known vulnerability report for all your Java and JavaScript projects.  The following code snippets, written in Groovy, will help you deliver a working Jenkins pipeline.

Construct a list of projects that you wish to analyse.  For the sake of simplicity, we will call that list, “projects”.  The projects list can then be iterated within the pipeline code. 

Audit

The audit function calls npm audit and archives the resulting output for each JavaScript project.

Join Audit Outputs

Create a comma delimited list of audit output files.

Amalgamate Audit Files

Call amalgamate.py from npm-audit-amalgamate to amalgamate all the npm audit output files.  The generated report is cat’ed to the console and archived.

Dependency Check

The dependencyCheck function runs dependency-check-maven for each Java project, renames the output file and archives it.  This code handles Jenkins slaves.  Be careful not to use the Groovy “File” class in Jenkins, which always tries to access files from the Jenkins master.  Not that I spent hours working that out!

Join Dependency Check Outputs

Create a comma delimited list of dependency-check output files.

Amalgamate Dependency Check Files

Call amalgamate.py from dependency-check-amalgamate to amalgamate all the dependency-check output files.  The generated report is cat’ed to the console and archived.

Maven File Injection

Running dependency-check depends on a maven pom file already being configured with the dependency-check plugin.  One way to get around this requirement is to inject the plugin on the fly in the build job.  The following steps show you how to do this.

Create a variable to hold the dependency-check plugin.

Remove an existing dependency-check plugin from a maven pom file, if it exists.

Inject the plugin variable into the pom file.

Update the pom file.

Conclusion

Known vulnerabilities weaken the security of your software.  New vulnerabilities are detected by security researchers and used by attackers every day.  Identifying and removing them does take effort, but it’s a relatively easy thing to do and makes a big difference to the security of your software.

You should also investigate other vulnerability detection tools in the market.  Github.com and Snyk.io both offer tools to detect known vulnerabilities.

Using the scripts that have been shared in this blog, can help you build a single Jenkins build job that will detail the known vulnerabilities in your projects, as defined by the vulnerability databases used by both tools.

Written in conjunction with Steven Trotter, Software Engineer, Kainos.

References

https://www.servicenow.com/content/dam/servicenow-assets/public/en-us/doc-type/resource-center/analyst-report/ponemon-state-of-vulnerability-response.pdf

https://github.com/KainosSoftwareLtd/npm-audit-amalgamate

https://github.com/KainosSoftwareLtd/dependency-check-amalgamate

https://docs.npmjs.com/cli/audit

https://www.owasp.org/index.php/OWASP_Dependency_Check

No comments
Leave a Comment