Enabled external database support in OWASP Dependency Check.

[bobthesecurityguy]

• Updated OWASP Dependency Check task to parse options for external CVE database.
• Added PostgreSQL plugin to docker image to allow use of external Postgres databases in Docker image.

This enables glue to optionally use a separate, persistent database for OWASP Dependency Check. Doing so enables the use of this task from the Glue docker image (or other Glue system of your choice) without needing to download and process the CVE lists on each run and without baking the database into the image. OWASP Dependency Check does not automatically initialize the appropriate tables, so the external database must be initialized out-of-band using the SQL scripts from the upstream Dependency Check repository.

This can be used in commands like: glue --owasp-db-driver-name org.postgresql.Driver --owasp-db-connection-string jdbc:postgresql://dependencycheck-postgresql.svc.cluster.local/dependencycheck --owasp-db-user dependencycheck --owasp-db-pass $OWASP_DB_PASS -t OWASPDependencyCheck .

[omerlh]

That sounds heavy - I would recommend using the dynamic task for that. This will allow you to use dependency check however you want :)

[bobthesecurityguy]

I'm not sure I understand your comment. "heavy" in what way? Is this an issue with the flags, with the inclusion of the Postgres plugin in the docker image, or both?

Re-implementing the existing Dependency Check report parser as a dynamic task mapping sounds much more complicated to me than adding a couple of flags that get passed directly through to the scanner.

[omerlh]

It's just my personal point of view. I said heavy because this makes the image larger, and also add more features to tests. I'm against it, but if you are willing to go this route - I'll appreciate if you can add a test or 2, just to ensure the correct arguments are added. The test coverage is not amazing, but I want to make it better.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.