DependencyCheck Central Database Docker

Docker-based self-updating central OWASP DependencyCheck Database Server. This is an out-of-the-box solution for the central Enterprise Setup described here. It is based on a MySQL database.

Benefits

• Very fast analysis
• Self-updating, thus always up-to-date CVE data
• No manual central database setup required
• Analysis clients do not require internet access (see below)
• Improved reliability in case of connection issues to the NVD

Setup

Central Database Server

In order to start the Database Server simply run

docker run -p 3306:3306 stefanneuhaus/dependencycheck-central-mysql

NVD API key

To have a faster synchronization process, you should apply for an NVD API key. Get one at the NVD website. If you have one, start your Docker container with -e NVD_API_KEY=<Your API key here>.

Analysis Clients

All kinds of analysis clients are supported: Gradle, Maven, Ant, Jenkins, CLI. Apply the following changes to your build file:

• add buildscript dependency for com.mysql:mysql-connector-j
• disable database updates triggered by your project: autoUpdate = false
• add database connection parameters: data { ... }

Example (Gradle):

buildscript {
    repositories {
        mavenCentral()
        gradlePluginPortal()
    }
    dependencies {
        classpath 'org.owasp:dependency-check-gradle:12.2.2'
        classpath 'com.mysql:mysql-connector-j:9.7.0'
    }
}

apply plugin: 'org.owasp.dependencycheck'

dependencyCheck {
    autoUpdate = false
    data {
        connectionString = "jdbc:mysql://<DC_HOST>:3306/dependencycheck?useSSL=false&allowPublicKeyRetrieval=true"
        driver = "com.mysql.cj.jdbc.Driver"
        username = "dc"
        password = "dc"
    }
}

Start the Dependency Analysis:

./gradlew dependencyCheckAnalyze

Database Updates

Updates of the Database are triggered hourly. Upon container startup an initial update is triggered which can take quite some time (~15 min on my machine with an NVD API key). In order to get reliable analysis results the initial update must have finished successfully. Subsequent updates are incremental ones and should finish within a couple of seconds.

Compatibility

Client	Server
>= 6.3.0	12.2.2
>= 6.3.0	11.0.0
>= 6.3.0	10.0.2
>= 6.3.0	9.0.8
>= 6.3.0	8.0.0
>= 6.3.0	7.4.4
[6.3.0; 7.4.3]	6.5.3
[6.1.3; 6.2.2]	6.2.0
[6.0.0; 6.1.1]	6.0.2
[5.0.0; 5.3.2.1]	5.0.0
[1.4.1; 4.0.2]	4.0.2
< 1.4.1	n.a.

The server is not designed for updating its database structure manually. If you update your client to a version which is incompatible with your server version, you should just throw away the old server container and start a new one from a compatible image from scratch.

• Client: DependencyCheck used in your project to be analyzed
• Server: the dependencycheck-central-mysql-docker container

Notes

• Clients do not require internet access in general. There are only a few analyzers that do require it. Please refer to the OWASP DependencyCheck documentation for further information.
• Running the image as non-root: use the mysql(999:999) user provided by the base image (mysql).