{ "info": { "author": "Jay Johnson", "author_email": "jay.p.h.johnson@gmail.com", "bugtrack_url": null, "classifiers": [ "Development Status :: 5 - Production/Stable", "Intended Audience :: Developers", "License :: OSI Approved :: Apache Software License", "Operating System :: OS Independent", "Programming Language :: Python :: 2.7", "Programming Language :: Python :: 3.5", "Programming Language :: Python :: 3.6", "Programming Language :: Python :: Implementation :: PyPy", "Topic :: Software Development :: Libraries :: Python Modules" ], "description": "OWASP Jenkins in Docker\n=======================\n\nWant to automate testing your web applications and REST API service layers using the latest OWASP security toolchains and the NIST National Vulnerability Database (NVD)?\n\nThis repository uses Ansible to create a docker container to hold an automatically-configured Jenkins application with the `OWASP Dependency Checker`_, `NIST NVD`_, `Python OWASP ZAP`_, and `Openstack Bandit`_ installed. All Jenkins jobs run inside this docker container and are hosted using self-signed ssl certificates.\n\nHopefully this will make securing your applications easier by jumpstarting your testing with the `OWASP Top 10 Application Security Risks - 2017`_.\n\n.. _NIST NVD: https://nvd.nist.gov/vuln/data-feeds\n.. _OWASP Dependency Checker: https://github.com/jeremylong/DependencyCheck\n.. _OWASP Top 10 Application Security Risks - 2017: https://www.owasp.org/index.php/Top_10_2017-Top_10\n\nQuickly Analyze any Repository with OWASP\n-----------------------------------------\n\nHere's how to scan a repository for security issues. This will download the latest https://hub.docker.com/r/jayjohnson/owasp-jenkins container. Please note: because there are so many known vulnerabilities to test, the container inflates to a size of about ``4.4 GB`` on disk.\n\nIn this example I am testing the Bandit repository https://github.com/openstack/bandit.git and will create the ``owasp-report-.html`` file in the current directory before removing the container.\n\n#. Check there's nothing in the directory:\n\n ::\n\n ls | grep html\n\n#. Pick a Repository to Scan\n\n ::\n\n repo=https://github.com/openstack/bandit.git\n\n#. Run the OWASP Analysis and Generate the HTML Report\n\n ::\n\n docker run --name owasp-jenkins -p 8443:8443 -v $(pwd):/opt/reports -it -d jayjohnson/owasp-jenkins:latest && docker exec -it owasp-jenkins git clone $repo /opt/scanrepo && docker exec -it owasp-jenkins ansible-playbook -i inventories/inventory_dev run-owasp-analysis.yml -e owasp_scan_dir=\"/opt/scanrepo\" -e owasp_report_file=\"/opt/reports/owasp-report-$(date +'%Y-%m-%d-%H-%M-%S').html\"\n\n This will log something like below:\n\n ::\n\n d9d9c4e1945b7c0822f29aaae4db48842454ed693e1cc40d041f8362cd49cb12\n Cloning into '/opt/scanrepo'...\n remote: Counting objects: 5975, done.\n remote: Compressing objects: 100% (26/26), done.\n remote: Total 5975 (delta 5), reused 21 (delta 0), pack-reused 5949\n Receiving objects: 100% (5975/5975), 1.39 MiB | 0 bytes/s, done.\n Resolving deltas: 100% (4104/4104), done.\n [WARNING]: log file at /opt/owasp/ansible/\"/tmp/owasp-jenkins.log\" is not writeable and we cannot create it, aborting\n\n\n PLAY [Running OWASP Analysis] **************************************************\n\n TASK [set_fact] ****************************************************************\n ok: [localhost]\n\n TASK [set_fact] ****************************************************************\n ok: [localhost]\n\n TASK [set_fact] ****************************************************************\n ok: [localhost]\n\n TASK [set_fact] ****************************************************************\n ok: [localhost]\n\n TASK [set_fact] ****************************************************************\n ok: [localhost]\n\n TASK [set_fact] ****************************************************************\n ok: [localhost]\n\n TASK [set_fact] ****************************************************************\n ok: [localhost]\n\n TASK [set_fact] ****************************************************************\n ok: [localhost]\n\n TASK [set_fact] ****************************************************************\n ok: [localhost]\n\n TASK [Checking if this is a rebuild_nvd=0] *************************************\n skipping: [localhost]\n\n TASK [Building OWASP Arguments] ************************************************\n ok: [localhost]\n\n TASK [Running OWASP Report depchecker=/opt/tools/depcheck/dependency-check-cli/target/release/bin/dependency-check.sh owasp_args= -n --enableExperimental true --out /opt/reports/owasp-report-2018-01-10-20-21-18.html --scan /opt/scanrepo -P /opt/owasp/ansible/roles/install/files/initial-pom.xml --project analyze-this-code --data /opt/nvd] ***\n changed: [localhost]\n\n TASK [Checking if the OWASP Report=/opt/reports/owasp-report-2018-01-10-20-21-18.html exists] ***\n ok: [localhost]\n\n TASK [Verifying OWASP Report=/opt/reports/owasp-report-2018-01-10-20-21-18.html was created] ***\n skipping: [localhost]\n\n PLAY RECAP *********************************************************************\n localhost : ok=12 changed=1 unreachable=0 failed=0\n\n#. Verify the OWASP HTML Report Exists\n\n ::\n\n ls | grep html\n owasp-report-2018-01-10-20-21-18.html\n\n#. Cleanup the Docker Container\n\n ::\n\n docker stop owasp-jenkins; docker rm owasp-jenkins\n owasp-jenkins\n owasp-jenkins\n\nAnalyzing Popular GitHub Repositories\n=====================================\n\nI hope this container makes it easy to find security risks in your code and in any third-party dependencies. Here's examples for analyzing some of the most popular GitHub repositories:\n\nScan Django\n-----------\n\nScan Django and generate an OWASP HTML Report for third-party vulnerabilities:\n\n::\n\n repo=https://github.com/django/django.git\n docker run --name owasp-jenkins -p 8443:8443 -v $(pwd):/opt/reports -it -d jayjohnson/owasp-jenkins:latest && docker exec -it owasp-jenkins git clone $repo /opt/scanrepo && docker exec -it owasp-jenkins ansible-playbook -i inventories/inventory_dev run-owasp-analysis.yml -e owasp_scan_dir=\"/opt/scanrepo\" -e owasp_report_file=\"/opt/reports/owasp-django-report-$(date +'%Y-%m-%d-%H-%M-%S').html\" && docker stop owasp-jenkins && docker rm owasp-jenkins\n ls -l owasp-django-report-*.html\n\nScan React\n----------\n\nScan React and generate an OWASP HTML Report for third-party vulnerabilities:\n\n::\n\n repo=https://github.com/facebook/react.git\n docker run --name owasp-jenkins -p 8443:8443 -v $(pwd):/opt/reports -it -d jayjohnson/owasp-jenkins:latest && docker exec -it owasp-jenkins git clone $repo /opt/scanrepo && docker exec -it owasp-jenkins ansible-playbook -i inventories/inventory_dev run-owasp-analysis.yml -e owasp_scan_dir=\"/opt/scanrepo\" -e owasp_report_file=\"/opt/reports/owasp-react-report-$(date +'%Y-%m-%d-%H-%M-%S').html\" && docker stop owasp-jenkins && docker rm owasp-jenkins\n ls -l owasp-react-report-*.html\n\nScan Vue\n--------\n\nScan Vue and generate an OWASP HTML Report for third-party vulnerabilities:\n\n::\n\n repo=https://github.com/vuejs/vue.git\n docker run --name owasp-jenkins -p 8443:8443 -v $(pwd):/opt/reports -it -d jayjohnson/owasp-jenkins:latest && docker exec -it owasp-jenkins git clone $repo /opt/scanrepo && docker exec -it owasp-jenkins ansible-playbook -i inventories/inventory_dev run-owasp-analysis.yml -e owasp_scan_dir=\"/opt/scanrepo\" -e owasp_report_file=\"/opt/reports/owasp-vue-report-$(date +'%Y-%m-%d-%H-%M-%S').html\" && docker stop owasp-jenkins && docker rm owasp-jenkins\n ls -l owasp-vue-report-*.html\n\nScan Angular\n------------\n\nScan Angular and generate an OWASP HTML Report for third-party vulnerabilities:\n\n::\n\n repo=https://github.com/angular/angular.git\n docker run --name owasp-jenkins -p 8443:8443 -v $(pwd):/opt/reports -it -d jayjohnson/owasp-jenkins:latest && docker exec -it owasp-jenkins git clone $repo /opt/scanrepo && docker exec -it owasp-jenkins ansible-playbook -i inventories/inventory_dev run-owasp-analysis.yml -e owasp_scan_dir=\"/opt/scanrepo\" -e owasp_report_file=\"/opt/reports/owasp-angular-report-$(date +'%Y-%m-%d-%H-%M-%S').html\" && docker stop owasp-jenkins && docker rm owasp-jenkins\n ls -l owasp-angular-report-*.html\n\nScan Ruby on Rails\n------------------\n\nScan Ruby on Rails and generate an OWASP HTML Report for third-party vulnerabilities:\n\n::\n\n repo=https://github.com/rails/rails\n docker run --name owasp-jenkins -p 8443:8443 -v $(pwd):/opt/reports -it -d jayjohnson/owasp-jenkins:latest && docker exec -it owasp-jenkins git clone $repo /opt/scanrepo && docker exec -it owasp-jenkins ansible-playbook -i inventories/inventory_dev run-owasp-analysis.yml -e owasp_scan_dir=\"/opt/scanrepo\" -e owasp_report_file=\"/opt/reports/owasp-ror-report-$(date +'%Y-%m-%d-%H-%M-%S').html\" && docker stop owasp-jenkins && docker rm owasp-jenkins\n ls -l owasp-ror-report-*.html\n\nScan Shadowsocks Windows\n------------------------\n\nScan Shadowsocks Windows and generate an OWASP HTML Report for third-party vulnerabilities:\n\n::\n\n repo=https://github.com/shadowsocks/shadowsocks-windows.git\n docker run --name owasp-jenkins -p 8443:8443 -v $(pwd):/opt/reports -it -d jayjohnson/owasp-jenkins:latest && docker exec -it owasp-jenkins git clone $repo /opt/scanrepo && docker exec -it owasp-jenkins ansible-playbook -i inventories/inventory_dev run-owasp-analysis.yml -e owasp_scan_dir=\"/opt/scanrepo\" -e owasp_report_file=\"/opt/reports/owasp-shadowsockswindows-report-$(date +'%Y-%m-%d-%H-%M-%S').html\" && docker stop owasp-jenkins && docker rm owasp-jenkins\n ls -l owasp-shadowsockswindows-report-*.html\n\nScan Laravel\n------------\n\nScan Laravel and generate an OWASP HTML Report for third-party vulnerabilities:\n\n::\n\n repo=https://github.com/laravel/laravel\n docker run --name owasp-jenkins -p 8443:8443 -v $(pwd):/opt/reports -it -d jayjohnson/owasp-jenkins:latest && docker exec -it owasp-jenkins git clone $repo /opt/scanrepo && docker exec -it owasp-jenkins ansible-playbook -i inventories/inventory_dev run-owasp-analysis.yml -e owasp_scan_dir=\"/opt/scanrepo\" -e owasp_report_file=\"/opt/reports/owasp-laravel-report-$(date +'%Y-%m-%d-%H-%M-%S').html\" && docker stop owasp-jenkins && docker rm owasp-jenkins\n ls -l owasp-laravel-report-*.html\n\nScan Django REST Framework\n--------------------------\n\nScan Django REST Framework and generate an OWASP HTML Report for third-party vulnerabilities:\n\n::\n\n repo=https://github.com/encode/django-rest-framework.git\n docker run --name owasp-jenkins -p 8443:8443 -v $(pwd):/opt/reports -it -d jayjohnson/owasp-jenkins:latest && docker exec -it owasp-jenkins git clone $repo /opt/scanrepo && docker exec -it owasp-jenkins ansible-playbook -i inventories/inventory_dev run-owasp-analysis.yml -e owasp_scan_dir=\"/opt/scanrepo\" -e owasp_report_file=\"/opt/reports/owasp-drf-report-$(date +'%Y-%m-%d-%H-%M-%S').html\" && docker stop owasp-jenkins && docker rm owasp-jenkins\n ls -l owasp-drf-report-*.html\n\nWant to generate Bandit reports for some of the most popular python projects?\n-----------------------------------------------------------------------------\n\nScan Tensorflow and generate a Bandit HTML report (this can take a few minutes depending on your host):\n\n::\n\n repo=https://github.com/tensorflow/tensorflow.git\n docker run --name owasp-jenkins -p 8443:8443 -v $(pwd):/opt/reports -it -d jayjohnson/owasp-jenkins:latest && docker exec -it owasp-jenkins git clone $repo /opt/scanrepo && docker exec -it owasp-jenkins ansible-playbook -i inventories/inventory_dev run-bandit-analysis.yml -e bandit_scan_dir=\"/opt/scanrepo\" -e bandit_report_file=\"/opt/reports/bandit-tf-report-$(date +'%Y-%m-%d-%H-%M-%S').html\" && docker stop owasp-jenkins && docker rm owasp-jenkins\n ls -l bandit-tf-report-*.html\n\nScan Flask and generate a Bandit HTML report:\n\n::\n\n repo=https://github.com/pallets/flask.git\n docker run --name owasp-jenkins -p 8443:8443 -v $(pwd):/opt/reports -it -d jayjohnson/owasp-jenkins:latest && docker exec -it owasp-jenkins git clone $repo /opt/scanrepo && docker exec -it owasp-jenkins ansible-playbook -i inventories/inventory_dev run-bandit-analysis.yml -e bandit_scan_dir=\"/opt/scanrepo\" -e bandit_report_file=\"/opt/reports/bandit-flask-report-$(date +'%Y-%m-%d-%H-%M-%S').html\" && docker stop owasp-jenkins && docker rm owasp-jenkins\n ls -l bandit-flask-report-*.html\n\nScan Ansible and generate a Bandit HTML report (this can take a few minutes depending on your host):\n\n::\n\n repo=https://github.com/ansible/ansible.git\n docker run --name owasp-jenkins -p 8443:8443 -v $(pwd):/opt/reports -it -d jayjohnson/owasp-jenkins:latest && docker exec -it owasp-jenkins git clone $repo /opt/scanrepo && docker exec -it owasp-jenkins ansible-playbook -i inventories/inventory_dev run-bandit-analysis.yml -e bandit_scan_dir=\"/opt/scanrepo\" -e bandit_report_file=\"/opt/reports/bandit-ab-report-$(date +'%Y-%m-%d-%H-%M-%S').html\" && docker stop owasp-jenkins && docker rm owasp-jenkins\n ls -l bandit-ab-report-*.html\n\nSetting up Jenkins for Automating your Security Testing\n=======================================================\n\nStart the Container\n-------------------\n\nIf you want to set up the Jenkins container or onboard an application with OWASP testing you can start the container with:\n\n::\n\n ./start.sh\n\nLogin to Jenkins\n----------------\n\nThe login for the Jenkins instance is:\n\n- username: admin\n- password: testing\n\nhttps://localhost:8443/\n\nRunning the OWASP Tools Manually\n================================\n\nI find it easier to initially integrate my applications with the OWASP + NIST toolchains by manually running tests from inside the container without a Jenkins job to debug at the same time.\n\nSSH into the container with:\n\n::\n\n docker exec -it owasp-jenkins bash\n\nor from the base repository directory:\n\n::\n\n ./ssh.sh\n\nConfirm you're in the ansible directory:\n\n::\n\n pwd\n /opt/owasp/ansible\n\nRun OWASP Analysis and Generate an HTML Report\n----------------------------------------------\n\nThis command will analyze the repository's ``/opt/owasp/owasp_jenkins/log/*.py`` modules using verbose Ansible terminal output. This is helpful for figuring out what Ansible is doing under the hood. By default the Ansible playbook will create the OWASP html file inside the docker container directory: ``/opt/reports``. This directory is set up in the compose file to auto-mount to the host's directory ``./reports`` from the repository to make sharing and viewing these html reports easier.\n\n::\n\n ansible-playbook -i inventories/inventory_dev run-owasp-analysis.yml -e owasp_scan_dir=\"/opt/owasp/owasp_jenkins/log\" -e owasp_report_file=\"/opt/reports/owasp-report.html\" -vvvv\n\nRun Bandit Analysis and Generate an HTML Report\n-----------------------------------------------\n\nThis will analyze the Bandit project's own code with the bandit analyzer and generate an html report that will be stored on the host in the ``./reports`` directory.\n\n::\n\n ansible-playbook -i inventories/inventory_dev run-bandit-analysis.yml -e bandit_scan_dir=\"/opt/owasp/venv/lib/python3.5/site-packages/bandit\" -e bandit_report_file=\"/opt/reports/bandit-report.html\" -vvvv\n\nOnboarding Your Own Application with OWASP\n------------------------------------------\n\nThe Ansible playbook configures the `Dependency Checker parameters`_ for making onboarding easier even behind a corporate proxy. These are the general steps I run through to get an application automatically scanned within a Jenkins job.\n\n.. _Dependency Checker parameters: https://github.com/jay-johnson/owasp-jenkins/blob/master/ansible/run-owasp-analysis.yml#L23-L31\n\n#. Changing the Runtime Parameters\n\n Please checkout what can be overridden from the ansible-playbook cli using the ``-e =\"\"`` and then port them into your Jenkins build jobs.\n\n https://github.com/jay-johnson/owasp-jenkins/blob/master/ansible/roles/install/vars/jenkins-runtime-latest.yml\n\n#. Tuning OWASP Runtime Arguments\n\n The Dependency Checker supports numerous parameters to test and audit an application. I would recommend periodically reviewing what has changed to make sure you are using the right ones for each application:\n\n https://jeremylong.github.io/DependencyCheck/dependency-check-maven/configuration.html\n\n This repository was built to analyze python, but the `default pom.xml file`_ is set up with most of the available `language analyzers`_ enabled (node.js, java, .NET, ruby, php) and uses the default flag: ``owasp_analyzers=\"--enableExperimental true\"``\n\n .. _default pom.xml file: https://github.com/jay-johnson/owasp-jenkins/blob/master/ansible/roles/install/files/initial-pom.xml\n .. _language analyzers: https://jeremylong.github.io/DependencyCheck/analyzers/index.html\n\n#. Setting up an OWASP pom.xml file\n\n There are two sample ``pom.xml`` files in the repo. One is for testing with my `celery-connectors`_ repository and the other is the default.\n\n - https://github.com/jay-johnson/owasp-jenkins/blob/master/ansible/roles/install/files/initial-pom.xml\n - https://github.com/jay-johnson/owasp-jenkins/blob/master/ansible/roles/install/files/celery-connectors-pom.xml\n\n There are numerous different configurable options that each application should review to ensure they are testing their code accordingly.\n\n https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html\n\n Once you have a ``pom.xml`` ready for testing you can use it with the ``run-owasp-analysis.yml`` by adding the arguments: \n\n ``-e owasp_pom=\"\"``\n\n .. _celery-connectors: https://github.com/jay-johnson/celery-connectors\n\n#. Set up OWASP Jenkins Jobs\n\n I prefer to set up my Jenkins jobs using the ``Execute shell - Command`` to configure my security toolchains in my CI/CD pipelines. These are the shell snippets for how I set up my initial OWASP jobs for a new security-ready CI/CD pipeline.\n\n #. NIST National Vulnerability Database Update Job\n\n This job should run every seven days to pull in the latest updates or you can just rebuild this container (just a friendly reminder, don't forget to back up or migrate your jobs):\n\n https://jeremylong.github.io/DependencyCheck/data/index.html\n\n ::\n\n echo \"Downloading NIST National Vulnerability Database file\"\n . /opt/owasp/venv/bin/activate\n cd /opt/owasp/ansible\n ansible-playbook -i inventories/inventory_dev download-nvd.yml -vvvv\n\n #. Run OWASP and Bandit Analysis on any new repo PR or merged-PR Job\n\n I usually assume the Jenkins job has ``WORKSPACE`` as the directory for the source code to check. I also try to automate email delivery by making sure the auto-generated html files are under the job's workspace to ensure the job can send an email with the files attached for review.\n\n ::\n\n echo \"Running OWASP Analysis on Workspace=${WORKSPACE}\"\n . /opt/owasp/venv/bin/activate\n cd /opt/owasp/ansible\n\n # If needed, make sure to specify the path to the repository's pom.xml:\n # -e owasp_pom=\"/opt/owasp/ansible/roles/install/files/initial-pom.xml\"\n # and set the project label to match it:\n # -e owasp_project_label=\"analyze-this-code\"\n ansible-playbook -i inventories/inventory_dev run-owasp-analysis.yml -e owasp_scan_dir=\"${WORKSPACE}\" -e owasp_report_file=\"${WORKSPACE}/owasp-report.html\" -vvvv\n\n echo \"Running Bandit Analysis on Workspace=${WORKSPACE}\"\n ansible-playbook -i inventories/inventory_dev run-bandit-analysis.yml -e bandit_scan_dir=\"${WORKSPACE}\" -e bandit_report_file=\"${WORKSPACE}/bandit-report.html\" -vvvv\n\n #. Update NIST Downloader and Dependency Checker Tools Job\n\n This job will update the local, cloned repositories for the NIST NVD Downloader and Dependency Checker. This is helpful if you have to maintain an internal fork of these repositories for enhancing or modifying their testing.\n\n ::\n\n echo \"Installing NIST National Vulnerability Database and NVD Dependency Checker using Ansible and Maven\"\n . /opt/owasp/venv/bin/activate\n cd /opt/owasp/ansible\n ansible-playbook -i inventories/inventory_dev install-tools.yml -vvvv\n\nBuild the OWASP Jenkins Container\n---------------------------------\n\nThis will build a large docker container (derived from ``jenkins/jenkins:latest``) by installing the following security packages listed below. If you want to install these later after the build you can run the Ansible playbooks as needed by commenting out the install lines of the Dockerfile (https://github.com/jay-johnson/owasp-jenkins/blob/master/Dockerfile#L84-L102).\n\nBuild the container using this script in the base directory of the repository:\n\n::\n\n ./build.sh\n\nWhile you're waiting, here's what is installing inside the container:\n\n- `OWASP Website`_\n- `NVD Data Feeds`_\n- `Dependency Checker`_\n- `Openstack Bandit`_\n- `Python OWASP ZAP`_\n- `Python OWASP ZAP Community Scripts`_\n\n.. _OWASP Website: https://www.owasp.org/index.php/Main_Page\n.. _NVD Data Feeds: https://nvd.nist.gov/vuln/data-feeds\n.. _Dependency Checker: https://github.com/jeremylong/DependencyCheck\n.. _Openstack Bandit: https://github.com/openstack/bandit\n.. _Python OWASP ZAP: https://github.com/zaproxy/zap-api-python\n.. _Python OWASP ZAP Community Scripts: https://github.com/zaproxy/community-scripts\n\nContainer OWASP Coverage Analysis\n=================================\n\nSo how does this container and approach help cover applications for the `2017 OWASP Top 10 Application Security Risks`_?\n\nThe container was built to help quickly secure python application code with Bandit for `Static Application Security Testing (SAST)`_ and ZAP for `Dynamic Application Security Testing (DAST)`_. There's tradeoffs to adding more and more tools to cover each item because while the tools might help find more security risks the tradeoff is your team just added more testing overhead to support tools and keep them updated with your application builds.\n\nThis is a table to visualize how the container helps tests the OWASP Top 10:\n\n+---------------------------------------------------+-------+--------+------------------+\n| OWASP Top 10 Application Security Risks - 2017 | DAST_ + SAST_ + Third Party |\n+===================================================+=======+========+==================+\n| `A1 Injection`_ | ZAP | Bandit | Dependency Check |\n+---------------------------------------------------+-------+--------+------------------+\n| `A2 Broken Authentication`_ | ZAP | Bandit | Dependency Check |\n+---------------------------------------------------+-------+--------+------------------+\n| `A3 Sensitive Data Exposure`_ | ZAP | Bandit | Dependency Check |\n+---------------------------------------------------+-------+--------+------------------+\n| `A4 XML External Entities`_ | ZAP | Bandit | Dependency Check |\n+---------------------------------------------------+-------+--------+------------------+\n| `A5 Broken Access Control`_ | ZAP | Bandit | Dependency Check |\n+---------------------------------------------------+-------+--------+------------------+\n| `A6 Security Misconfiguration`_ | ZAP | Bandit | Dependency Check |\n+---------------------------------------------------+-------+--------+------------------+\n| `A7 Cross Site Scripting`_ | ZAP | Bandit | Dependency Check |\n+---------------------------------------------------+-------+--------+------------------+\n| `A8 Insecure Deserialization`_ | None | Bandit | Dependency Check |\n+---------------------------------------------------+-------+--------+------------------+\n| `A9 Using Components with Known Vulnerabilities`_ | ZAP | None | Dependency Check |\n+---------------------------------------------------+-------+--------+------------------+\n| `A10 Insufficient Logging and Monitoring`_ | None | None | None | \n+---------------------------------------------------+-------+--------+------------------+\n\n.. _2017 OWASP Top 10 Application Security Risks: https://www.owasp.org/index.php/Top_10-2017_Top_10\n.. _Static Application Security Testing (SAST): https://www.owasp.org/index.php/Source_Code_Analysis_Tools\n.. _Dynamic Application Security Testing (DAST): https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools\n.. _SAST: https://www.owasp.org/index.php/Source_Code_Analysis_Tools\n.. _DAST: https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools\n.. _A1 Injection: https://www.owasp.org/index.php/Top_10-2017_A1-Injection\n.. _A2 Broken Authentication: https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication\n.. _A3 Sensitive Data Exposure: https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure\n.. _A4 XML External Entities: https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE)\n.. _A5 Broken Access Control: https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control\n.. _A6 Security Misconfiguration: https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration\n.. _A7 Cross Site Scripting: https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS)\n.. _A8 Insecure Deserialization: https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization\n.. _A9 Using Components with Known Vulnerabilities: https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities\n.. _A10 Insufficient Logging and Monitoring: https://www.owasp.org/index.php/Top_10-2017_A10-Insufficient_Logging%26Monitoring\n\nForce a Rebuild of the NVD H2 files using the Dependency Checker\n----------------------------------------------------------------\n\nIf you want to manually download the latest NVD updates you can run the included Ansible playbook from inside the container. This can take a while if you're behind a proxy so I usually have a dedicated Jenkins job that handles updating the h2 database during off hours.\n\n::\n\n ansible-playbook -i inventories/inventory_dev run-owasp-analysis.yml -e rebuild_nvd=1 -e owasp_scan_dir=\"/opt/owasp/owasp_jenkins/log\" -vvvv\n\nCleaning up Everything on the Host before a Clean Rebuild\n---------------------------------------------------------\n\nPlease be careful. This command will delete all the downloaded NIST NVD data files, maven, and the Dependency Checker tool if you have host-mounted them and commented-out the ansible-playbook install steps in the Docker container.\n\n::\n\n sudo rm -rf ./docker/data/nvd/* ./docker/data/nvd/.git ./docker/data/tools/nvd/* ./docker/data/tools/nvd/.git ./docker/data/tools/depcheck/* ./docker/data/tools/depcheck/.git ./docker/data/tools/*\n\nSetting up a Development Environment\n------------------------------------\n\nSetup the virtual environment with the command:\n\n::\n\n virtualenv -p python3 venv && source venv/bin/activate && pip install -e .\n\nLinting\n-------\n\n::\n\n pycodestyle --max-line-length=160 --exclude=venv,build,.tox\n\nLicense\n-------\n\nApache 2.0 - Please refer to the LICENSE_ for more details\n\n.. _License: https://github.com/jay-johnson/owasp-jenkins/blob/master/LICENSE\n\n\n\n", "description_content_type": "", "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/jay-johnson/owasp-jenkins", "keywords": "", "license": "", "maintainer": "", "maintainer_email": "", "name": "owasp-jenkins", "package_url": "https://pypi.org/project/owasp-jenkins/", "platform": "", "project_url": "https://pypi.org/project/owasp-jenkins/", "project_urls": { "Homepage": "https://github.com/jay-johnson/owasp-jenkins" }, "release_url": "https://pypi.org/project/owasp-jenkins/1.0.2/", "requires_dist": [ "ansible (>=2.4)", "bandit", "coverage", "docker-compose", "flake8", "future", "mock", "paramiko", "pep8", "pycurl", "pylint", "python-owasp-zap-v2.4", "safety", "unittest2" ], "requires_python": "", "summary": "Automate your OWASP analysis within a Jenkins docker container that is preconfigured to use Ansible to scan and report on potential python security issues before they are deployed to production.", "version": "1.0.2" }, "last_serial": 4445935, "releases": { "1.0.0": [ { "comment_text": "", "digests": { "md5": "29104d2214657dee69b8de812b3379e7", "sha256": "3ca4591343bb849df2bd4af22cc0fa124e67c526a15d52ab1f6ab368e4c4d53b" }, "downloads": -1, "filename": "owasp_jenkins-1.0.0-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "29104d2214657dee69b8de812b3379e7", "packagetype": "bdist_wheel", "python_version": "3.6", "requires_python": null, "size": 7057, "upload_time": "2018-01-11T09:30:25", "url": "https://files.pythonhosted.org/packages/d9/6f/9d8ccffedbb5eda6cc8b40bea7d9a85c9d4178c735d451af0ff9e6b4ec9c/owasp_jenkins-1.0.0-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "51c313bf492fa0cb0ae9f7ede1588b36", "sha256": "db921eb79f0b7100e2aa909ef6bd7a4af11fb2a81331f2fdaf69521d1dfdb7e7" }, "downloads": -1, "filename": "owasp-jenkins-1.0.0.tar.gz", "has_sig": false, "md5_digest": "51c313bf492fa0cb0ae9f7ede1588b36", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 6309, "upload_time": "2018-01-11T09:30:24", "url": "https://files.pythonhosted.org/packages/b8/63/d6c1c40714a47264f92cbaea62b776c3f72887e2f25f5f168fa926c2f497/owasp-jenkins-1.0.0.tar.gz" } ], "1.0.2": [ { "comment_text": "", "digests": { "md5": "5550df64e602798aa0be5ad7f2717156", "sha256": "679f4b6a7d4dc319cd816383457777cfbcffa882dd43fad9a0b6b07ba4f1a23e" }, "downloads": -1, "filename": "owasp_jenkins-1.0.2-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "5550df64e602798aa0be5ad7f2717156", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 9801, "upload_time": "2018-11-02T20:03:22", "url": "https://files.pythonhosted.org/packages/d8/24/4109d98aa26cc4ea9e7d34f8f294a084fb0dc7b4d9e9192f53763ed20a9c/owasp_jenkins-1.0.2-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "29a64bfbb23d606bb99a7a532649c412", "sha256": "d58b9be80c6d72c644d2591ba4e5a0a8602613e03811a352927e4c01c28169b1" }, "downloads": -1, "filename": "owasp-jenkins-1.0.2.tar.gz", "has_sig": false, "md5_digest": "29a64bfbb23d606bb99a7a532649c412", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 19503, "upload_time": "2018-11-02T20:03:24", "url": "https://files.pythonhosted.org/packages/a0/93/04a531ad2d15d81308f49401137714b16bb0730ae334523099b910cd729b/owasp-jenkins-1.0.2.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "5550df64e602798aa0be5ad7f2717156", "sha256": "679f4b6a7d4dc319cd816383457777cfbcffa882dd43fad9a0b6b07ba4f1a23e" }, "downloads": -1, "filename": "owasp_jenkins-1.0.2-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "5550df64e602798aa0be5ad7f2717156", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 9801, "upload_time": "2018-11-02T20:03:22", "url": "https://files.pythonhosted.org/packages/d8/24/4109d98aa26cc4ea9e7d34f8f294a084fb0dc7b4d9e9192f53763ed20a9c/owasp_jenkins-1.0.2-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "29a64bfbb23d606bb99a7a532649c412", "sha256": "d58b9be80c6d72c644d2591ba4e5a0a8602613e03811a352927e4c01c28169b1" }, "downloads": -1, "filename": "owasp-jenkins-1.0.2.tar.gz", "has_sig": false, "md5_digest": "29a64bfbb23d606bb99a7a532649c412", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 19503, "upload_time": "2018-11-02T20:03:24", "url": "https://files.pythonhosted.org/packages/a0/93/04a531ad2d15d81308f49401137714b16bb0730ae334523099b910cd729b/owasp-jenkins-1.0.2.tar.gz" } ] }