- Static Testing: Using the code base (attached), edit the pom.xml file to integrate the Maven dependency check. You may want to reference the Integrating the Maven Dependency Check Plug-in Tutorial. Then, run a dependency check and identify the known vulnerabilities found. Submit the HTML dependency check report with the known vulnerabilities found.
A dependency check will show false-positive vulnerabilities. It is important that you understand the false positives. You have been told that you cannot implement a fix at this time for the vulnerabilities identified because there is no solution that currently exists. However, you do not want this warning signal to pop up for the community of developers that will be testing the security of this code base.
- Reconfiguration: Sometimes, you have to live with an error until there is a fix for it. You must reconfigure the dependency check tool to stop the alarms for false positives by creating a suppression.xml file and revising the code in the pom.xml file to alter the configuration of the dependency check tool. By doing so, you will hide the false positives. Please note: The false positives are still there, but they won’t show up on the dependency check report. To reconfigure the dependency check tool, complete the following steps.
- Open the dependency report HTML file in a web browser.
- Click the suppress button next to the found vulnerability. See example below:
- Click on the Complete XML Doc button, then use Ctrl+C to copy the highlighted contents as shown below:
- Next, navigate back to the code base project in Eclipse and create a file called suppression.xml in the same directory as the pom.xml file.
- Add the contents you copied from the complete XML doc in Step C to the suppression.xml file you created.
- Edit the pom.xml file and add the following in the configuration section of the OWASP check:
<suppressionFiles>
<suppressionFile>suppression.xml</suppressionFile>
</suppressionFiles>
- Verification: Finally, use Maven Run As to run the dependency check again to verify that all dependencies are valid and no false positives exist. Submit the HTML dependency check report showing that all dependencies found are valid and no false positives are present.
In addition to the dependency check reports, be sure to zip the project folder in Eclipse and submit the refactored code including suppression.xml and the revised pom.xml file.
Submit (1) the refactored code (which includes the suppression.xml file you created and the pom.xml file you revised) and (2) a text submission that includes the HTML link for the dependency check report before reconfiguration and the HTML link for the new dependency check report after the reconfiguration with no false positives shown.
0 comments