OWASP Dependency Check Lab
This lab allows the student to run the OWASP Dependency Check against the webgoat .jar file from the Linux command line. The Dependency Check is run from a Docker Container. After the run the output is reviewed and methods for use of these reports by production monitoring applications is also covered. This is an example of a SAST test method for both build-time and run-time use.
Use a terminal emulator to ssh into the EC2 instance.
Once on the server, use a ls command to verify that the shell scripts are in the cloud_user's homw directory. If they are not, wait for the AMI script to complete, then check again.
$ ls -l
Once you have verified that the instance is fully operational, use the get-webgoat.sh shell script to pull the webgoat .jar file from github.com
$ sh get-webgoat.sh
Once the .jar file is downloaded to the cloud_user home directory, run the shell script that uses docker to pull the OWASP Dependency Check program from Docker Hub and execute it.
$ sudo sh run-depcheck.sh
*Note: You will need the cloud_user password to run as a sudo user.
After the Dependency Check program has completed, you can use an ls command to view the reports created.
$ ls -l owreport/*
Once created, use the copy.sh script to copy the .html reports to the apache web server root.
$ sudo sh copy.sh
After the files have been copied to the apach root, check that they are there with an ls command.
$ ls -l /var/www/html
Now view the reports from your browser usiing the following URL addresses:
HTTP://[Public IP Address]/dependency-check-report.html
HTTP://[Public IP Address]/dependency-check-vulnerability.html
That completes the lab.