Scan It Like You Mean It πŸš€

- 3 minutes read - 593 words

Automated Vulnerability Scanning for Dependencies & Packages

Do we need to explain why?

πŸ”₯πŸ’₯πŸ’£πŸš¨βš‘β˜ οΈπŸ§¨

That’s what I thought.

Configure your pipeline with Snyk

There is a plethora of tools available out there for security scans and/or vulnerable dependencies - Dependabot, Trivy, sonarQube/Lint, Anchore, etc. Most of which can be integrated into your IDE or CI/CD.

For this use case, Snyk has been selected. Snyk is able to scan code, open-source dependencies, container images, and infrastructure as code configurations to helps developers prioritize and fix security vulnerabilities. The free version comes with a max limit scans per month.

The set-up is rather straightforward: after creating a free account on snyk.io, create an auth token. This value is used to authenticate to Snyk when running the snyk test command. (To be set as a pipeline variable under the name SNYK_TOKEN.)

Before adding the snyk test job to your pipeline, below is an initial verification the test outputs what we expect.

This tests a maven project using Java 17 where I “snyked” some vulnerable package versions. From docker inspect, running the image simply runs a snyk test command. The other standard docker images published by Snyk are available: https://github.com/snyk/snyk-images

docker run --rm -it --env SNYK_TOKEN=$(SNYK_TOKEN) -v $(PWD):/app snyk/snyk:maven-3-jdk-17

Testing /app...

Tested 5 dependencies for known issues, found 7 issues, 7 vulnerable paths.


Issues with no direct upgrade or patch:
  βœ— Man-in-the-Middle (MitM) [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-1300176] in log4j:[email protected]
    introduced by log4j:[email protected]
  No upgrade or patch available
  βœ— Arbitrary Code Execution [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-2316893] in log4j:[email protected]
    introduced by log4j:[email protected]
  No upgrade or patch available
  βœ— SQL Injection [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-2342645] in log4j:[email protected]
    introduced by log4j:[email protected]
  No upgrade or patch available
  βœ— Deserialization of Untrusted Data [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-2342646] in log4j:[email protected]
    introduced by log4j:[email protected]
  No upgrade or patch available
  βœ— Deserialization of Untrusted Data [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-2342647] in log4j:[email protected]
    introduced by log4j:[email protected]
  No upgrade or patch available
  βœ— Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-3358774] in log4j:[email protected]
    introduced by log4j:[email protected]
  No upgrade or patch available
  βœ— Deserialization of Untrusted Data [Critical Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-572732] in log4j:[email protected]
    introduced by log4j:[email protected]
  No upgrade or patch available



Organization:      leane
Package manager:   maven
Target file:       pom.xml
Project name:      org.example:ExperimentsMvn
Open source:       no
Project path:      /app
Licenses:          enabled

To include this test in the project pipelines, add the test-snyk job to the .gitlab-ci.yml. An HTML report can be generated containing the full context of a vulnerability as readable artifact, viewable in a browser - rendered example available below.

variables:
  SNYK_IMAGE: snyk/snyk:maven-3-jdk-17
  
test-snyk:
  image: 
    name: $SNYK_IMAGE 
    entrypoint: [ "" ]
  script:
    - snyk test --all-projects
    - snyk monitor --all-projects

test-snyk-generate-html-report:
  image:
    name: $SNYK_IMAGE
    entrypoint: [ "" ]
  script:
    - curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
    - apt-get update && apt-get install -y nodejs && npm install -g snyk-to-html
    - snyk test --all-projects --json | snyk-to-html -o results.html
  artifacts:
    paths: [ "results.html" ]
    when: always

text

Maybe even catch it earlier?

As mentioned above, most of these tools can integrate directly with the IDE. An easy & useful setup is the dependency-check-maven plugin. The first time the task is executed, the plugin needs to download data from the National Vulnerability Database which can be a lengthy process.

The below xml configuration in your pom file will add the dependency-check:check task.

<!-- OWASP Dependency-Check Plugin -->
            <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>latest-version</version> 
                <executions>
                    <execution>
                        <goals>
                            <goal>check</goal> 
                        </goals>
                    </execution>
                </executions>
            </plugin>

Note that I have attempted to put this in my pipeline instead to “make sure it runs”. This was a bad idea given all the data download going on. For pipeline integration the above mentioned options are much better suited.

References