This lab allows the student to run the OWASP Dependency Check against the webgoat .jar file from the Linux command line. The Dependency Check is run from a Docker Container. After the run the output is reviewed and methods for use of these reports by production monitoring applications is also covered. This is an example of a SAST test method for both build-time and run-time use.
Successfully complete this lab by achieving the following learning objectives:
- Run the get-webgoat.sh shell script
This shell script uses a wget command to pull the webgoat .jar file down for scanning on the EC2 instance.
$ sh get-webgoat.sh
- Run the run-depcheck.sh shell script as Super User
This shell script will run the OWASP Dependency Check program and scan the .jar file brought down from github.com. The script uses docker to run the program, and a ‘sudo’ must proceed the execution of this script because cloud_user is not in the docker group.
$ sudo sh run-depcheck.sh
- Copy the HTML reports produced to the Apache Web Server root Directory
The student runs the copy.sh script to copy the report output to the /var/www/html directory so that it can be viewed through a browser.
The ‘sudo’ command is needed for this because the destination directory does not grant write permission to the cloud_user user.
$ sudo sh copy.sh
- Use the Browser to view the Dependency Check Reports
The student may navigate to the reports by using the following URL addresses:
HTTP://[Public IP Address]/dependency-check-report.html