Conduct investigation into back end vulnerability scanning

[jameshaddrillvs]

These are the main milestones for this piece of work

• [x] Investigate and compare tools to help us with vulnerability scan
• [x] Configure the OWASP security plugin to Generate a report of vulnerabilities
• [x] Run the report from a Jenkins server
• [x] Incorporate the report to a CI/CD Pipeline and notify when new vulnerabilities are detected
• [ ] Implement the report in a major existing project (dot-com-brxm)
• [ ] Implement the report in an alternative project (i.e. vs-dms-products)
• [ ] Implement the report in a dot-com-brxm pipeline
• [ ] Generate a bill of materials
• [ ] Create a security vulnerability policy Document (Confluence) to define our strategy
• [ ] Document the investigation on Confluence

[jcalcines]

Hello @jameshaddrillvs

I have updated the description of the ticket, adding the different milestones for is piece of work. These are the updates regarding the Completed milestones

Investigate and compare tools to help us with vulnerability scan

The investigation was conducted and these are the main highlights:

• The scope for this task was around back-end dependencies
• Internal documentation about practices and POC have been reviewed and evaluated
  • Steve did some work about cybersecurity compliance, which has a wider scope
• The tools evaluated included: Nexus IQ, OWASP, Dependabot, CycloneDX, Jenkins (Plugins)
• Practices in major Github repos have been checked
• The simplest way to create a PoC is to use a new BloomReach project

[jcalcines]

The next three milestones are interrelated

Configure the OWASP security plugin to Generate a report of vulnerabilities

The Maven plugin has been configured in a project and the following several reports have been created. We have flagged some vulnerabilities to BloomReach and they have verified that they are false positives in their setup.

This is the report generated for a simple brsx 15.5.0 project

https://github.com/jcalcines/brxm-playground/blob/dependency-check/report/owasp/15.5.0/dependency-check-report.html

Run the report from a Jenkins server

There was the possibility of running the whole report from Jenkins but that was actually doubling the configuration required to do the job. So the most efficient option was to use the maven plugin to generate the report and to use Jenkins to create the Dashboard and display the data.

This is the job where the plugin is configured in Jenkins: https://ci.visitscotland.com/test/job/jcalcines%20-%20OWASP%20Dependency%20Check%20-%20Plugin/

The job includes a graph like this one to illustrate the changes of vulnerabilties compared to the last build. This graph is specially useful for the main branch, which is build every fortnight.

Incorporate the report to a CI/CD Pipeline and notify when new vulnerabilities are detected

The last part of this PoC was to integrate the last two steps in a CI/CD Pipeline.

On top of what is previously configured, this job has been set up to fail builds when there are critical vulnerabilities on it or being marked as unstable when new high vulnerabilities arise. Also, it will send an email when the build fails for security vulnerabilities. This means that it will react based on our security gates (If we relax our policy, the notifications will do the same) which will prevent us from getting a lot of noise.

This is the job configured on Jenkins for this task: https://ci.visitscotland.com/test/job/jcalcines%20-%20OWASP%20Dependency%20check%20-%20Pipeline/

These images illustrate the main output from the Jenkins Pipeline. Please note that these screenshots are just illustrations of how the plugin would work and not real implementations. This is a playground codebase running in a test Jenkins Server