Listen ReadSpeaker webReader: Listen Overview As a software developer who develops secure code, you will need to add vulnerability assessments to your list of code reviews. As an experienced...

1 answer below »


Listen ReadSpeaker webReader: Listen

Overview


As a software developer who develops secure code, you will need to add vulnerability assessments to your list of code reviews. As an experienced programmer, you know that the code you write using a web application framework may only amount to a small percentage of the overall web application code base. Most of the code to be compiled or interpreted for execution is locked away in libraries. Your web application is dependent upon the code in these libraries, which represents a dependency vulnerability.


In this assignment, you will have an opportunity to be proactive in DevSecOps! You will find potential security vulnerabilities using the OWASP dependency scanner. This is an open source scanner that points out potential security vulnerabilities known in the libraries of your code base. You can then make adjustments to your use of libraries based on the
dependency check
report. Implementing the dependency check process is highly recommended as part of DevSecOps. You have used a dependency check in the default configuration mode. Now, you will look at the configuration options to suppress the reporting of false positives.


In this assignment, you will find that this is a good place to alter the current OWASP dependency check for the suppression of false-positive reporting. To do so, you will need to create a suppression.xml file and revise the code in the pom.xml file of your software application, in order to change the configuration settings of the dependency check in Maven and point to this suppression.xml file.


Prompt


Please follow the steps below to complete this assignment.




  1. Static Testing: Using the
    code baseprovided, edit the pom.xml file to integrate the Maven dependency check. You may want to reference the
    Integrating the Maven Dependency Check Plug-in Tutorial. Then,
    run a dependency check
    and identify the known vulnerabilities found. Submit the HTML dependency check report with the known vulnerabilities found.


A dependency check will show false-positive vulnerabilities. It is important that you understand the false positives. You have been told that you cannot implement a fix at this time for the vulnerabilities identified because there is no solution that currently exists. However, you do not want this warning signal to pop up for the community of developers that will be testing the security of this code base.




  1. Reconfiguration: Sometimes, you have to live with an error until there is a fix for it. You must
    reconfigure the dependency check tool to stop the alarms for false positives
    by creating a suppression.xml file and revising the code in the pom.xml file to alter the configuration of the dependency check tool. By doing so, you will hide the false positives. Please note: The false positives are still there, but they won’t show up on the dependency check report. To reconfigure the dependency check tool, complete the following steps.

    1. Open the dependency report HTML file in a web browser.

    2. Click the
      suppress
      button next to the found vulnerability. See example below:




Published vulnerabilities screen showing the


    1. Click on the
      Complete XML Doc
      button, then use
      Ctrl+C
      to copy the highlighted contents as shown below:



Click on the


    1. Next, navigate back to the code base project in Eclipse and create a file called
      suppression.xml
      in the same directory as the pom.xml file.

    2. Add the contents you copied from the complete XML doc in Step C to the suppression.xml file you created.

    3. Edit the pom.xml file and add the following in the configuration section of the OWASP check:







suppression.xml






  1. Verification: Finally, use
    Maven Run As
    to run the dependency check again to
    verify that all dependencies are valid and no false positives exist. Submit the HTML dependency check report showing that all dependencies found are valid and no false positives are present.


In addition to the dependency check reports, be sure to zip the project folder in Eclipse and submit the refactored code including suppression.xml and the revised pom.xml file.


Guidelines for Submission


Submit (1) the refactored code (which includes the suppression.xml file you created and the pom.xml file you revised) and (2) a text submission that includes the HTML link for the dependency check report before reconfiguration and the HTML link for the new dependency check report after the reconfiguration with no false positives shown.

Answered 14 days AfterJul 31, 2022

Answer To: Listen ReadSpeaker webReader: Listen Overview As a software developer who develops secure code, you...

Aditi answered on Aug 03 2022
76 Votes
SOLUTION.PDF

Answer To This Question Is Available To Download

Related Questions & Answers

More Questions »

Submit New Assignment

Copy and Paste Your Assignment Here