Start owasp dep check docker image with custom command
170 views
Skip to first unread message
Nikita Bublikov
Jul 12, 2020, 9:01:46 AM7/12/20
to Dependency Check
Hello!
I want to run the docker container with my custom command, but I don’t know how to write the command correctly.
1) Dowload dep check form those https://hub.docker.com/r/owasp/dependency-check with command "docker pull owasp/dependency-check" - it's ok
2) I believe that everything is ok, "docker run owasp/dependnecy-check"
then in start ok
3) Now the task is this, I have a repository in the file system, I want to give it a check in dep check and get a report from the log files, I know that the command should be like that: sudo /home/myuser/dependency-check/bin/dependency-check.sh --project TEST --scan /path/to/project --out /home/myuser/TESTREPORT.html --enableExperimental --log /home/TESTLOG.txt
But how to properly run this image by mounting the repository in it and then the report appears? Trying to figure out Docker until I get it right...
I want to run the docker container with my custom command, but I don’t know how to write the command correctly.
1) Dowload dep check form those https://hub.docker.com/r/owasp/dependency-check with command "docker pull owasp/dependency-check" - it's ok
2) I believe that everything is ok, "docker run owasp/dependnecy-check"
then in start ok
sudo docker run owasp/dependency-check
[sudo] password for myuser:
usage: Dependency-Check Core [--advancedHelp] [--enableExperimental]
[--exclude <pattern>] [-f <format>] [--failOnCVSS <score>] [-h]
[--junitFailOnCVSS <score>] [-l <file>] [-n] [-o <path>]
[--prettyPrint] [--project <name>] [-s <path>] [--suppression
<file>] [-v]
Dependency-Check Core can be used to identify if there are any known CVE
vulnerabilities in libraries utilized by an application. Dependency-Check
Core will automatically update required data from the Internet, such as
the CVE and CPE data files from nvd.nist.gov.
3) Now the task is this, I have a repository in the file system, I want to give it a check in dep check and get a report from the log files, I know that the command should be like that: sudo /home/myuser/dependency-check/bin/dependency-check.sh --project TEST --scan /path/to/project --out /home/myuser/TESTREPORT.html --enableExperimental --log /home/TESTLOG.txt
But how to properly run this image by mounting the repository in it and then the report appears? Trying to figure out Docker until I get it right...
Nikita Bublikov
Jul 12, 2020, 9:03:18 AM7/12/20
to Dependency Check
What should the full command look like?
Hans Aikema
Jul 12, 2020, 10:14:36 AM7/12/20
to Nikita Bublikov, Dependency Check
Nikita,
You would typically invoke the script (or your customised version of it) that is shown on dockerhub while the current working directory is your repository checkout in the filesystem.
It would store the cached vulnerabilty databases and other caches within a subfolder OWASP-Dependency-Check in your users home-folder and store the resulting reports in a folder odc-reports inside your working directory (the checked out repository in your local filesystem).
If you insist on building your own command (e.g. because you generate it in some way for targeted named folders instead of relying on the 'current working directory') the template for your docker run is the docker run in that sample script. It contains all the volume mounts in order to:
- have the dockerised DC see your source by mounting its folder (in the script the current working directory $pwd) in /src
- have the dockerised DC store the various caches in your local filesystem so you can dispose the container after use without loosing the benefit of caching the vulnerability data of the various vulnerability sources by mounting a folder (in the script a dedicated subfolder of your homedirectory) into /usr/share/dependency-check/data
- have the dockerised DC store the generated sources in your local filesystem by mounting a folder (in the script a subfolder odc-reports in the current working directory) into /report and setting /report as the report output folder with the --out /report parameter
kind regards,
Hans
On 12 Jul 2020, at 15:03, 'Nikita Bublikov' via Dependency Check <dependen...@googlegroups.com> wrote:
What should the full command look like?
--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dependency-check/36e9b797-8497-4412-90b0-5be20b9f5136n%40googlegroups.com.
Nikita Bublikov
Jul 13, 2020, 3:42:49 AM7/13/20
to Dependency Check
Well, that is, if for example I want to do everything according to a standard script, do I need to do the following?
1. Create a directory /home/myuser/src
2. Put the source code repository in it
3. run the "docker run owasp/dependency-check" command from it
4. The script will be launched, everything will be checked, it will immediately create the odc-reports folder with the report Is that all right?
1. Create a directory /home/myuser/src
2. Put the source code repository in it
3. run the "docker run owasp/dependency-check" command from it
4. The script will be launched, everything will be checked, it will immediately create the odc-reports folder with the report Is that all right?
Reply all
Reply to author
Forward
0 new messages