OWASP Dependency Check Lab

Hands-On Lab


Photo of John Marx

John Marx

Training Architect





This lab allows the student to run the OWASP Dependency Check against the webgoat .jar file from the Linux command line. The Dependency Check is run from a Docker Container. After the run the output is reviewed and methods for use of these reports by production monitoring applications is also covered. This is an example of a SAST test method for both build-time and run-time use.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Use a terminal emulator to ssh into the EC2 instance.

Once on the server, use a ls command to verify that the shell scripts are in the cloud_user's homw directory. If they are not, wait for the AMI script to complete, then check again.

$ ls -l

Once you have verified that the instance is fully operational, use the get-webgoat.sh shell script to pull the webgoat .jar file from github.com

$ sh get-webgoat.sh

Once the .jar file is downloaded to the cloud_user home directory, run the shell script that uses docker to pull the OWASP Dependency Check program from Docker Hub and execute it.

$ sudo sh run-depcheck.sh

*Note: You will need the cloud_user password to run as a sudo user.

After the Dependency Check program has completed, you can use an ls command to view the reports created.

$ ls -l owreport/*

Once created, use the copy.sh script to copy the .html reports to the apache web server root.

$ sudo sh copy.sh

After the files have been copied to the apach root, check that they are there with an ls command.

$ ls -l /var/www/html

Now view the reports from your browser usiing the following URL addresses:

HTTP://[Public IP Address]/dependency-check-report.html


HTTP://[Public IP Address]/dependency-check-vulnerability.html

That completes the lab.