Skip to content

Latest commit

 

History

History
73 lines (52 loc) · 2.7 KB

File metadata and controls

73 lines (52 loc) · 2.7 KB

DependencyCheck Central Database Docker

Docker-based self-updating central OWASP DependencyCheck Database Server. This is an out-of-the-box solution for the central Enterprise Setup described here. It is based on a MySQL database.

Benefits

  • Very fast analysis
  • Self-updating, thus always up-to-date CVE data
  • No manual central database setup required
  • Analysis clients do not require internet access (see below)
  • Improved reliability in case of connection issues to the NVD

Setup

Central Database Server

In order to start the Database Server simply run

docker run -p 3306:3306 stefanneuhaus/dependencycheck-central-mysql

Analysis clients

All kinds of analysis clients are supported: Gradle, Maven, Ant, Jenkins, CLI. Apply the following changes to your build file:

  • add buildscript dependency for mysql:mysql-connector-java:5.1.44
  • disable database updates triggered by your project: autoUpdate = false
  • add database connection parameters: data { ... }

Example (Gradle):

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'org.owasp:dependency-check-gradle:3.1.2'
        classpath 'mysql:mysql-connector-java:5.1.44'
    }
}

apply plugin: 'org.owasp.dependencycheck'

dependencyCheck {
    autoUpdate = false
    data {
        connectionString = "jdbc:mysql://<DC_HOST>:3306/dependencycheck?useSSL=false"
        driver = "com.mysql.jdbc.Driver"
        username = "dc"
        password = "change-me"
    }
}

Start the Dependency Analysis:

./gradlew dependencyCheckAnalyze

Database updates

Updates of the Database are triggered on the hour. Note that the initial update can take quite some time (~30 min on my machine). In order to get reliable analysis results the initial update must have finished successfully. Subsequent updates are incremental ones and should finish within a couple of seconds.

Compatibility

Plugin versions used in your project to be analyzed (client) usually stay compatible to the DependencyCheck Enterprise Docker Database (server) for a long time. All client/server combinations with version >= 1.4.1 should work together.

Notes