Gradle Dependency Check
The following build.gradle will perform the vulnerability check against our Go project.
Code Block |
---|
|
apply plugin: 'org.owasp.dependencycheck'
buildscript {
repositories {
mavenCentral()
}
ext {
owaspPluginVersion = '7.0.3'
}
dependencies {
classpath "org.owasp:dependency-check-gradle:${owaspPluginVersion}"
}
}
dependencyCheck {
failOnError = false
format = 'ALL'
outputDirectory = "${buildDir}/reports/owasp"
suppressionFile = "${projectDir}/owasp-suppressions.xml"
analyzers {
experimentalEnabled = true
golangModEnabled = true
pathToGo = '/usr/local/go/bin/go'
}
}
task build() {
// empty
}
build.dependsOn (dependencyCheckAnalyze) |
Addressing Vulnerabilities
Code Block |
---|
title | Sample Vulnerability Report |
---|
|
> Task :dependencyCheckAnalyze
Verifying dependencies for project kafka-azure-sink
Checking for updates and analyzing dependencies for vulnerabilities
Generating report for project kafka-azure-sink
Found 31 vulnerabilities in project kafka-azure-sink
One or more dependencies were identified with known vulnerabilities in kafka-azure-sink:
go.mod (pkg:golang/cloud.google.com/go/storage@1.10.0, cpe:2.3:a:storage_project:storage:1.10.0:*:*:*:*:*:*:*) : CVE-2021-20291
go-units@v0.4.0 (pkg:golang/github.com/docker/go-units@0.4.0, cpe:2.3:a:docker:docker:0.4.0:*:*:*:*:*:*:*) : CVE-2014-0047, CVE-2014-0048, CVE-2014-5277, CVE-2014-5278, CVE-2014-5282, CVE-2014-6407, CVE-2014-8178, CVE-2014-8179, CVE-2014-9356, CVE-2014-9358, CVE-2015-3627, CVE-2015-3630, CVE-2015-3631, CVE-2016-3697, CVE-2017-14992, CVE-2019-13139, CVE-2019-13509, CVE-2019-15752, CVE-2019-16884, CVE-2019-5736, CVE-2020-27534, CVE-2021-21284, CVE-2021-21285, CVE-2021-3162, CVE-2022-25365
go.mod (pkg:golang/github.com/hashicorp/consul/api@1.12.0, cpe:2.3:a:hashicorp:consul:1.12.0:*:*:*:*:*:*:*) : CVE-2022-40716
golang_protobuf_extensions@v1.0.1 (pkg:golang/github.com/matttproud/golang_protobuf_extensions@1.0.1, cpe:2.3:a:golang:protobuf:1.0.1:*:*:*:*:*:*:*) : CVE-2021-3121
client_model@v0.2.0 (pkg:golang/github.com/prometheus/client_model@0.2.0, cpe:2.3:a:prometheus:prometheus:0.2.0:*:*:*:*:*:*:*) : CVE-2019-3826
go.mod (pkg:golang/github.com/prometheus/common@0.37.0, cpe:2.3:a:prometheus:prometheus:0.37.0:*:*:*:*:*:*:*) : CVE-2019-3826
go.mod (pkg:golang/github.com/prometheus/procfs@0.8.0, cpe:2.3:a:prometheus:prometheus:0.8.0:*:*:*:*:*:*:*) : CVE-2019-3826
See the dependency-check report for more details. |
Dependency Check Report
open build/reports/owasp/dependency-check-report.html
Image Added
When a vulnerability is found we will need to do the following things:
Update the library
Code Block |
---|
module kafka-azure-sink
go 1.18
require (
...
github.com/docker/go-units v0.5.0
)
|
Issue the following commands:
Code Block |
---|
go mod vendor
go mod tidy |
Build the project to verify all is well
Code Block |
---|
go build -o ./kafka-azure-sink ./src/cmd/svc |