OWASP Dependency Check Lab

Hands-On Lab

 

Photo of John Marx

John Marx

Training Architect

Length

01:00:00

Difficulty

Beginner

This lab allows the student to run the OWASP Dependency Check against the webgoat .jar file from the Linux command line. The Dependency Check is run from a Docker Container. After the run the output is reviewed and methods for use of these reports by production monitoring applications is also covered. This is an example of a SAST test method for both build-time and run-time use.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Use a terminal emulator to ssh into the EC2 instance.

Once on the server, use a ls command to verify that the shell scripts are in the cloud_user's homw directory. If they are not, wait for the AMI script to complete, then check again.

$ ls -l

Once you have verified that the instance is fully operational, use the get-webgoat.sh shell script to pull the webgoat .jar file from github.com

$ sh get-webgoat.sh

Once the .jar file is downloaded to the cloud_user home directory, run the shell script that uses docker to pull the OWASP Dependency Check program from Docker Hub and execute it.

$ sudo sh run-depcheck.sh

*Note: You will need the cloud_user password to run as a sudo user.

After the Dependency Check program has completed, you can use an ls command to view the reports created.

$ ls -l owreport/*

Once created, use the copy.sh script to copy the .html reports to the apache web server root.

$ sudo sh copy.sh

After the files have been copied to the apach root, check that they are there with an ls command.

$ ls -l /var/www/html

Now view the reports from your browser usiing the following URL addresses:

HTTP://[Public IP Address]/dependency-check-report.html

and...

HTTP://[Public IP Address]/dependency-check-vulnerability.html

That completes the lab.