Has anyone set this up on a server to allow internal devs to check their local code repositories?

[mushu999]

Would like to set this up on an internal server and [somehow] allow our developers to access it and have it scan their local code repositories. We all use Visual Studio so that isn't an issue, the problem is that web browsers by default do not allow a webage to access your local C: drive so would need a way around that. Possibly I could have them all set up a UNC share and give the account the webpage is running under Read access but that's a pain. Want to make this super easy to get them all to run the scans else they won't care...

Any ideas?

[aikebah]

HTML report reading from C-drive by webbrowsers is no issue in my experience, so not sure why you think that would be an issue?

[aikebah]

If you mean a running this tool from a webpage: I would not expect that to ever work.

Don't know how easy it is to integrate developer-side in Visual Studio projects, but why not integrate it in the CI Buildserver build process and make the reports easily accessible to the developers?

I'm in a java/maven shop, where integration is as easy as deriving a project from our company parent and setting a flag in settings.xml to make it active on local builds. On the CI-build server the flag is always on, so even if the developer never runs it locally they still have easy access to the report after the next CI-build (reports hosted on an intranet webserver) - and if the associated CVE score exceeds a threshold they are forced to address the issue before their build can move forward.

If your devs won't care for the security of their software that's more of a cultural thing to work on. Easing the tool use will have limited effect. They'll quickly learn the suppression-trick and even suppress when inappropriate. Educating them on the risks associated e.g. using breakdowns/write-ups of past breaches that show how easy it was for the hacker because company X used software with an outdated, vulnerable library may have more effect.

If they do care about the security in my experience the pain of invoking dependency-check (even the CLI variant) is low, significantly lower than the pain of dealing with analyzing and following up on its findings, and well worth the effort.

[jeremylong]

Most would just setup a scan as part of their CI. For GitHub Actions several use https://github.com/dependency-check/Dependency-Check_Action

Creating a separate space for developers to go do security work has become an anti-pattern - bring security to where the developers work. The trick is paying attention to speed and accuracy of the security tooling introduced - you can't disrupt development with noise.

[mushu999]

Thanks for the responses. I was imagining a webpage they could go to and enter the local path to their source code and hit a [scan] button and it would magically scan their code and produce the report for them.

For years I preach and preach about security and they are focused instead on just getting the code out the door. So if they didn't have to add a new link in their build process by setting up and doing a CLI scan of their own code, this would be best. Easier means it gets done, any extra effort means it doesn't. This is definitely an internal employee/developer issue for sure. I just couldn't envision how I could set this up to launch a local scan on demand for every developer over the network is all.

I'm wondering if I could set up a webpage to just grab their local fully-qualified path to the codebase and then have the web server feed that to it's locally-installed copy of DC and access the developer code via UNC path...hmmm...if the account running on the server was Admin it would be able to read their local C: drives...maybe I'll investigate that option.

[aikebah]

And then you'd have a nice target for hackers in your infrastructure: a server that has a webpage taking a UNC path and blindly accessing it with a high-authorized admin account. I'd suggest you to reconsider.

[mushu999]

Well, waited a year to reply (lol) to say that this would be hosted on our intranet behind several firewalls and other hardware protection. It wouldn't be open to the public nor running in a DMZ. I'm just rethinking about this as it would be a great tool for our other devs.