Overview

In this assignment, you$$ll conduct a dependency check, a type of static testing that detects vulnerabilities associated with library dependencies needed for the application. Static testing lets you identify vulnerabilities in the code without executing the code. In this assignment, you$$ll do the following:

Identify software security vulnerabilities by running code through a static tester.

Identify potential mitigation techniques that have been used to mitigate against vulnerabilities associated with known exploits.

Scenario

You$$re a senior software developer on a team of software developers. The team is responsible for a large web application that uses Spring Framework.

The software development team discussed the vulnerabilities in the code base from your manual code review. The team plans to mitigate against the vulnerabilities. The team also supports a new functionality that requires the addition of a new library. A best practice for ensuring secure code is to use a dependency check to check the refactored code base and the additional library. There are tools to help with dependency checks. You$$ll integrate a dependency$-$check tool into your vulnerability assessment workflow.

Directions

To begin, open the Module Two Coding Assignment Code Base, linked in the Supporting Materials section, in Eclipse. Refer to the Uploading Files to Eclipse Desktop Version Tutorial, linked in the Supporting Materials section, for testing the code base in Eclipse. Then integrate the Maven Dependency$-$Check Plugin for the code base.

Please note: Integrating the static testing tool was a non$-$graded task that you should have completed in the previous module. You may have already completed these steps.

Follow the instructions in the Integrating the Maven Dependency$-$Check Plugin Tutorial, linked in Supporting Materials, to learn how to integrate and run the dependency$-$check plugin into Maven for conducting static testing. Use the instructions in the tutorial to identify the software security vulnerabilities, and document in the Module Two Coding Assignment Template, linked in What to Submit.

Specifically, you must address the following rubric criteria:

Run the dependency check on the code base. Include a screenshot of the resulting HTML report in your Module Two Coding Assignment Template. Make certain the screenshot includes the scan information at the top of the dependency$-$check report.

Document the results from the dependency check. In your Module Two Coding Assignment Template, make certain to include the codes and descriptions of each dependency that you found.

Analyze the results to identify the best solutions for addressing dependencies in the code base. Summarize your findings in your Module Two Coding Assignment Template. You can refer to industry standard guidelines such as the Common Vulnerabilities and Exposures $($CVE$)$ and the National Vulnerability Database $($NVD$),$ both linked in Supporting Materials.

Also consider why you should filter false positives from the dependency$-$check tool

Discuss this in the Module Two Coding Assignment Template.

To learn about the dependencies and interpret the results from the report, click on each dependency listed as shown below.

Dependency check report. A box outlines the dependency header and an example link to the dependency description.

Information about the dependency description, its severity, and potential solutions will also be available from the NVD$.$ You can access this information by clicking on the matching Common Platform Enumeration $($CPE$),$ then selecting the Vulnerability ID$.$

Dependency check report. A box outlines the CPE header and an example link to the CPE description.

Search Results on the National Vulnerability Database website. A box outlines the Vuln ID header and an example link to the Vulnerability ID description.