Computer Science Homework Help

Overview

As a software developer who develops secure code, you will need to add vulnerability assessments to your list of code reviews. As an experienced programmer, you know that the code you write using a web application framework may only amount to a small percentage of the overall web application code base. Most of the code to be compiled or interpreted for execution is locked away in libraries. Your web application is dependent upon the code in these libraries, which represents a dependency vulnerability.

In this assignment, you will have an opportunity to be proactive in DevSecOps! You will find potential security vulnerabilities using the OWASP dependency scanner. This is an open source scanner that points out potential security vulnerabilities known in the libraries of your code base. You can then make adjustments to your use of libraries based on the dependency check report. Implementing the dependency check process is highly recommended as part of DevSecOps. You have used a dependency check in the default configuration mode. Now, you will look at the configuration options to suppress the reporting of false positives.

In this assignment, you will find that this is a good place to alter the current OWASP dependency check for the suppression of false-positive reporting. To do so, you will need to create a suppression.xml file and revise the code in the pom.xml file of your software application, in order to change the configuration settings of the dependency check in Maven and point to this suppression.xml file.

Prompt

Please follow the steps below to complete this assignment.

1. Static Testing: Using the code base provided, edit the pom.xml file to integrate the Maven dependency check. You may want to reference the Integrating the Maven Dependency Check Plug-in Tutorial. Then, run a dependency check and identify the known vulnerabilities found. Submit the HTML dependency check report with the known vulnerabilities found.

A dependency check will show false-positive vulnerabilities. It is important that you understand the false positives. You have been told that you cannot implement a fix at this time for the vulnerabilities identified because there is no solution that currently exists. However, you do not want this warning signal to pop up for the community of developers that will be testing the security of this code base.

1. Reconfiguration: Sometimes, you have to live with an error until there is a fix for it. You must reconfigure the dependency check tool to stop the alarms for false positives by creating a suppression.xml file and revising the code in the pom.xml file to alter the configuration of the dependency check tool. By doing so, you will hide the false positives. Please note: The false positives are still there, but they won’t show up on the dependency check report. To reconfigure the dependency check tool, complete the following steps.
   1. Open the dependency report HTML file in a web browser.
   2. Click the suppress button next to the found vulnerability. See example below:

1. Click on the Complete XML Doc button, then use Ctrl+C to copy the highlighted contents as shown below:

1. Next, navigate back to the code base project in Eclipse and create a file called suppression.xml in the same directory as the pom.xml file.
2. Add the contents you copied from the complete XML doc in Step C to the suppression.xml file you created.
3. Edit the pom.xml file and add the following in the configuration section of the OWASP check:

<suppressionFiles>
<suppressionFile>suppression.xml</suppressionFile>
</suppressionFiles>

1. Verification: Finally, use Maven Run As to run the dependency check again to verify that all dependencies are valid and no false positives exist. Submit the HTML dependency check report showing that all dependencies found are valid and no false positives are present.

In addition to the dependency check reports, be sure to zip the project folder in Eclipse and submit the refactored code including suppression.xml and the revised pom.xml file.