Skip to main content

Automate your OWASP analysis within a Jenkins docker container that is preconfigured to use Ansible to scan and report on potential python security issues before they are deployed to production.

Project description

OWASP Jenkins in Docker

Want to automate testing your web applications and REST API service layers using the latest OWASP security toolchains and the NIST National Vulnerability Database (NVD)?

This repository uses Ansible to create a docker container to hold an automatically-configured Jenkins application with the OWASP Dependency Checker, NIST NVD, Python OWASP ZAP, and Openstack Bandit installed. All Jenkins jobs run inside this docker container and are hosted using self-signed ssl certificates.

Hopefully this will make securing your applications easier by jumpstarting your testing with the OWASP Top 10 Application Security Risks - 2017.

Quickly Analyze any Repository with OWASP

Here’s how to scan a repository for security issues. This will download the latest https://hub.docker.com/r/jayjohnson/owasp-jenkins container. Please note: because there are so many known vulnerabilities to test, the container inflates to a size of about 4.4 GB on disk.

In this example I am testing the Bandit repository https://github.com/openstack/bandit.git and will create the owasp-report-<date>.html file in the current directory before removing the container.

  1. Check there’s nothing in the directory:

    ls | grep html
  2. Pick a Repository to Scan

    repo=https://github.com/openstack/bandit.git
  3. Run the OWASP Analysis and Generate the HTML Report

    docker run --name owasp-jenkins -p 8443:8443 -v $(pwd):/opt/reports -it -d jayjohnson/owasp-jenkins:latest && docker exec -it owasp-jenkins git clone $repo /opt/scanrepo && docker exec -it owasp-jenkins ansible-playbook -i inventories/inventory_dev run-owasp-analysis.yml -e owasp_scan_dir="/opt/scanrepo" -e owasp_report_file="/opt/reports/owasp-report-$(date +'%Y-%m-%d-%H-%M-%S').html"

    This will log something like below:

    d9d9c4e1945b7c0822f29aaae4db48842454ed693e1cc40d041f8362cd49cb12
    Cloning into '/opt/scanrepo'...
    remote: Counting objects: 5975, done.
    remote: Compressing objects: 100% (26/26), done.
    remote: Total 5975 (delta 5), reused 21 (delta 0), pack-reused 5949
    Receiving objects: 100% (5975/5975), 1.39 MiB | 0 bytes/s, done.
    Resolving deltas: 100% (4104/4104), done.
    [WARNING]: log file at /opt/owasp/ansible/"/tmp/owasp-jenkins.log" is not writeable and we cannot create it, aborting
    
    
    PLAY [Running OWASP Analysis] **************************************************
    
    TASK [set_fact] ****************************************************************
    ok: [localhost]
    
    TASK [set_fact] ****************************************************************
    ok: [localhost]
    
    TASK [set_fact] ****************************************************************
    ok: [localhost]
    
    TASK [set_fact] ****************************************************************
    ok: [localhost]
    
    TASK [set_fact] ****************************************************************
    ok: [localhost]
    
    TASK [set_fact] ****************************************************************
    ok: [localhost]
    
    TASK [set_fact] ****************************************************************
    ok: [localhost]
    
    TASK [set_fact] ****************************************************************
    ok: [localhost]
    
    TASK [set_fact] ****************************************************************
    ok: [localhost]
    
    TASK [Checking if this is a rebuild_nvd=0] *************************************
    skipping: [localhost]
    
    TASK [Building OWASP Arguments] ************************************************
    ok: [localhost]
    
    TASK [Running OWASP Report depchecker=/opt/tools/depcheck/dependency-check-cli/target/release/bin/dependency-check.sh owasp_args= -n --enableExperimental true --out /opt/reports/owasp-report-2018-01-10-20-21-18.html --scan /opt/scanrepo -P /opt/owasp/ansible/roles/install/files/initial-pom.xml --project analyze-this-code --data /opt/nvd] ***
    changed: [localhost]
    
    TASK [Checking if the OWASP Report=/opt/reports/owasp-report-2018-01-10-20-21-18.html exists] ***
    ok: [localhost]
    
    TASK [Verifying OWASP Report=/opt/reports/owasp-report-2018-01-10-20-21-18.html was created] ***
    skipping: [localhost]
    
    PLAY RECAP *********************************************************************
    localhost                  : ok=12   changed=1    unreachable=0    failed=0
  4. Verify the OWASP HTML Report Exists

    ls | grep html
    owasp-report-2018-01-10-20-21-18.html
  5. Cleanup the Docker Container

    docker stop owasp-jenkins; docker rm owasp-jenkins
    owasp-jenkins
    owasp-jenkins

Setting up Jenkins for Automating your Security Testing

Start the Container

If you want to set up the Jenkins container or onboard an application with OWASP testing you can start the container with:

./start.sh

Login to Jenkins

The login for the Jenkins instance is:

  • username: admin

  • password: testing

https://localhost:8443/

Running the OWASP Tools Manually

I find it easier to initially integrate my applications with the OWASP + NIST toolchains by manually running tests from inside the container without a Jenkins job to debug at the same time.

SSH into the container with:

docker exec -it owasp-jenkins bash

or from the base repository directory:

./ssh.sh

Confirm you’re in the ansible directory:

pwd
/opt/owasp/ansible

Run OWASP Analysis and Generate an HTML Report

This command will analyze the repository’s /opt/owasp/owasp_jenkins/log/*.py modules using verbose Ansible terminal output. This is helpful for figuring out what Ansible is doing under the hood. By default the Ansible playbook will create the OWASP html file inside the docker container directory: /opt/reports. This directory is set up in the compose file to auto-mount to the host’s directory ./reports from the repository to make sharing and viewing these html reports easier.

ansible-playbook -i inventories/inventory_dev run-owasp-analysis.yml -e owasp_scan_dir="/opt/owasp/owasp_jenkins/log" -e owasp_report_file="/opt/reports/owasp-report.html" -vvvv

Run Bandit Analysis and Generate an HTML Report

This will analyze the Bandit project’s own code with the bandit analyzer and generate an html report that will be stored on the host in the ./reports directory.

ansible-playbook -i inventories/inventory_dev run-bandit-analysis.yml -e bandit_scan_dir="/opt/owasp/venv/lib/python3.5/site-packages/bandit" -e bandit_report_file="/opt/reports/bandit-report.html" -vvvv

Onboarding Your Own Application with OWASP

The Ansible playbook configures the Dependency Checker parameters for making onboarding easier even behind a corporate proxy. These are the general steps I run through to get an application automatically scanned within a Jenkins job.

  1. Changing the Runtime Parameters

    Please checkout what can be overridden from the ansible-playbook cli using the -e <arg name>="<arg value>" and then port them into your Jenkins build jobs.

    https://github.com/jay-johnson/owasp-jenkins/blob/master/ansible/roles/install/vars/jenkins-runtime-latest.yml

  2. Tuning OWASP Runtime Arguments

    The Dependency Checker supports numerous parameters to test and audit an application. I would recommend periodically reviewing what has changed to make sure you are using the right ones for each application:

    https://jeremylong.github.io/DependencyCheck/dependency-check-maven/configuration.html

    This repository was built to analyze python, but the default pom.xml file is set up with most of the available language analyzers enabled (node.js, java, .NET, ruby, php) and uses the default flag: owasp_analyzers="--enableExperimental true"

  3. Setting up an OWASP pom.xml file

    There are two sample pom.xml files in the repo. One is for testing with my celery-connectors repository and the other is the default.

    There are numerous different configurable options that each application should review to ensure they are testing their code accordingly.

    https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html

    Once you have a pom.xml ready for testing you can use it with the run-owasp-analysis.yml by adding the arguments:

    -e owasp_pom="<path to your application pom.xml>"

  4. Set up OWASP Jenkins Jobs

    I prefer to set up my Jenkins jobs using the Execute shell - Command to configure my security toolchains in my CI/CD pipelines. These are the shell snippets for how I set up my initial OWASP jobs for a new security-ready CI/CD pipeline.

    1. NIST National Vulnerability Database Update Job

      This job should run every seven days to pull in the latest updates or you can just rebuild this container (just a friendly reminder, don’t forget to back up or migrate your jobs):

      https://jeremylong.github.io/DependencyCheck/data/index.html

      echo "Downloading NIST National Vulnerability Database file"
      . /opt/owasp/venv/bin/activate
      cd /opt/owasp/ansible
      ansible-playbook -i inventories/inventory_dev download-nvd.yml -vvvv
    2. Run OWASP and Bandit Analysis on any new repo PR or merged-PR Job

      I usually assume the Jenkins job has WORKSPACE as the directory for the source code to check. I also try to automate email delivery by making sure the auto-generated html files are under the job’s workspace to ensure the job can send an email with the files attached for review.

      echo "Running OWASP Analysis on Workspace=${WORKSPACE}"
      . /opt/owasp/venv/bin/activate
      cd /opt/owasp/ansible
      
      # If needed, make sure to specify the path to the repository's pom.xml:
      # -e owasp_pom="/opt/owasp/ansible/roles/install/files/initial-pom.xml"
      # and set the project label to match it:
      # -e owasp_project_label="analyze-this-code"
      ansible-playbook -i inventories/inventory_dev run-owasp-analysis.yml -e owasp_scan_dir="${WORKSPACE}" -e owasp_report_file="${WORKSPACE}/owasp-report.html" -vvvv
      
      echo "Running Bandit Analysis on Workspace=${WORKSPACE}"
      ansible-playbook -i inventories/inventory_dev run-bandit-analysis.yml -e bandit_scan_dir="${WORKSPACE}" -e bandit_report_file="${WORKSPACE}/bandit-report.html" -vvvv
    3. Update NIST Downloader and Dependency Checker Tools Job

      This job will update the local, cloned repositories for the NIST NVD Downloader and Dependency Checker. This is helpful if you have to maintain an internal fork of these repositories for enhancing or modifying their testing.

      echo "Installing NIST National Vulnerability Database and NVD Dependency Checker using Ansible and Maven"
      . /opt/owasp/venv/bin/activate
      cd /opt/owasp/ansible
      ansible-playbook -i inventories/inventory_dev install-tools.yml -vvvv

Build the OWASP Jenkins Container

This will build a large docker container (derived from jenkins/jenkins:latest) by installing the following security packages listed below. If you want to install these later after the build you can run the Ansible playbooks as needed by commenting out the install lines of the Dockerfile (https://github.com/jay-johnson/owasp-jenkins/blob/master/Dockerfile#L84-L102).

Build the container using this script in the base directory of the repository:

./build.sh

While you’re waiting, here’s what is installing inside the container:

Container OWASP Coverage Analysis

So how does this container and approach help cover applications for the 2017 OWASP Top 10 Application Security Risks?

The container was built to help quickly secure python application code with Bandit for Static Application Security Testing (SAST) and ZAP for Dynamic Application Security Testing (DAST). There’s tradeoffs to adding more and more tools to cover each item because while the tools might help find more security risks the tradeoff is your team just added more testing overhead to support tools and keep them updated with your application builds.

This is a table to visualize how the container helps tests the OWASP Top 10:

OWASP Top 10 Application Security Risks - 2017

DAST

SAST

Third Party

A1 Injection

ZAP

Bandit

Dependency Check

A2 Broken Authentication

ZAP

Bandit

Dependency Check

A3 Sensitive Data Exposure

ZAP

Bandit

Dependency Check

A4 XML External Entities

ZAP

Bandit

Dependency Check

A5 Broken Access Control

ZAP

Bandit

Dependency Check

A6 Security Misconfiguration

ZAP

Bandit

Dependency Check

A7 Cross Site Scripting

ZAP

Bandit

Dependency Check

A8 Insecure Deserialization

None

Bandit

Dependency Check

A9 Using Components with Known Vulnerabilities

ZAP

None

Dependency Check

A10 Insufficient Logging and Monitoring

None

None

None

Force a Rebuild of the NVD H2 files using the Dependency Checker

If you want to manually download the latest NVD updates you can run the included Ansible playbook from inside the container. This can take a while if you’re behind a proxy so I usually have a dedicated Jenkins job that handles updating the h2 database during off hours.

ansible-playbook -i inventories/inventory_dev run-owasp-analysis.yml -e rebuild_nvd=1 -e owasp_scan_dir="/opt/owasp/owasp_jenkins/log" -vvvv

Cleaning up Everything on the Host before a Clean Rebuild

Please be careful. This command will delete all the downloaded NIST NVD data files, maven, and the Dependency Checker tool if you have host-mounted them and commented-out the ansible-playbook install steps in the Docker container.

sudo rm -rf ./docker/data/nvd/* ./docker/data/nvd/.git ./docker/data/tools/nvd/* ./docker/data/tools/nvd/.git ./docker/data/tools/depcheck/* ./docker/data/tools/depcheck/.git ./docker/data/tools/*

Setting up a Development Environment

Setup the virtual environment with the command:

virtualenv -p python3 venv && source venv/bin/activate && pip install -e .

Linting

pycodestyle --max-line-length=160 --exclude=venv,build,.tox

License

Apache 2.0 - Please refer to the LICENSE for more details

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

owasp-jenkins-1.0.2.tar.gz (19.5 kB view details)

Uploaded Source

Built Distribution

owasp_jenkins-1.0.2-py2.py3-none-any.whl (9.8 kB view details)

Uploaded Python 2 Python 3

File details

Details for the file owasp-jenkins-1.0.2.tar.gz.

File metadata

  • Download URL: owasp-jenkins-1.0.2.tar.gz
  • Upload date:
  • Size: 19.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.12.1 pkginfo/1.4.2 requests/2.19.1 setuptools/40.4.3 requests-toolbelt/0.8.0 tqdm/4.26.0 CPython/3.6.5

File hashes

Hashes for owasp-jenkins-1.0.2.tar.gz
Algorithm Hash digest
SHA256 d58b9be80c6d72c644d2591ba4e5a0a8602613e03811a352927e4c01c28169b1
MD5 29a64bfbb23d606bb99a7a532649c412
BLAKE2b-256 a09304a531ad2d15d81308f49401137714b16bb0730ae334523099b910cd729b

See more details on using hashes here.

File details

Details for the file owasp_jenkins-1.0.2-py2.py3-none-any.whl.

File metadata

  • Download URL: owasp_jenkins-1.0.2-py2.py3-none-any.whl
  • Upload date:
  • Size: 9.8 kB
  • Tags: Python 2, Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.12.1 pkginfo/1.4.2 requests/2.19.1 setuptools/40.4.3 requests-toolbelt/0.8.0 tqdm/4.26.0 CPython/3.6.5

File hashes

Hashes for owasp_jenkins-1.0.2-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 679f4b6a7d4dc319cd816383457777cfbcffa882dd43fad9a0b6b07ba4f1a23e
MD5 5550df64e602798aa0be5ad7f2717156
BLAKE2b-256 d8244109d98aa26cc4ea9e7d34f8f294a084fb0dc7b4d9e9192f53763ed20a9c

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page