DEMO

    Step 1: Create your free Community Edition Account

    Sign up to track your application's security posture now and over time as it evolves.

    Skip to Step 2 if you already have a Community Edition account.

    Create a Community Edition Account

    STEP 2: Install the Scanner

    The Contrast Dependency Scanner is a NodeJS package that can be installed through a single command. 

    npm install -g @contrast/contrast-cli
    - OR - 
    yarn global add @contrast/contrast-cli

    STEP 3: Obtain Automation Keys

    Log in to Contrast Community Edition.
    At the top right, expand your name and open user settings.
    Scroll down to locate “Your Keys”
    Click “Generate Sample API Request”

    This automation request contains secret tokens that will enable scanning of the application.

    Clevr - Step 3

    STEP 4: Create a Project

    Paste your Sample API Request here to automatically generate a file to create your project.


    Save the resulting file as create_application.yaml.

    Then run:

    contrast-cli –catalogue_application --yamlPath create_application.yaml

    STEP 5: Copy Your Application UUID

    Copy the UUID to scan your application.

    Clevr-Step5

    STEP 6: Create your scan configuration

    Copy the YAML file from Step 4. Replace two lines with the UUID from the creation command as shown.

    Old create_project.yaml New scan.yaml 
    cli:
       api_key: YOUR_API_KEY
       organization_id: YOUR_ORG_ID
       authorization: YOUR_AUTH_TOKEN
       host:
    https://ce.contrastsecurity.com/Contrast
       language: JAVA
       application_name: MyApplication
    		 
    cli:
       api_key: YOUR_API_KEY
       organization_id: YOUR_ORG_ID
       authorization: YOUR_AUTH_TOKEN
       host:
    https://ce.contrastsecurity.com/Contrast
       application_id: PASTE_YOUR_UUID   
       report: true

    Step 7: Run the first dependency Scan

    Running a dependency scan overlays CVEs on the application’s dependency tree, showing which vulnerabilities have made their way into code and why they are present. The first scan is often run on a developer’s system to understand the results. Follow-up scans are often run on CI/CD servers for each build.

    This command must be run from the directory containing the application’s build components: pom.xml, build.gradle, package.json, or other relevant files. Additionally, the build tool must be on the system path.

    contrast-cli --yamlPath scan.yaml

    Step 8: Evaluate Dependency Data

    There are two locations where one can review data to locate vulnerable dependencies: the local output for quick view and parsing, and the remote interface for a more graphical walkthrough. Developers should check this output to determine which CVEs entered the application, and which dependencies brought them in.

    The dependency tree reveals the full direct and transitive dependencies to list every piece of software in the application. This is especially helpful in cases where one requests one dependency that requests another, that requests another, and so on.

    Step 9: Analyze Vulnerability Sources

    The biggest benefit of the process occurs in the final stages, where CVEs are overlaid on top of the dependencies to show where vulnerabilities enter the application. Knowing this information helps teams know which libraries to update or exclude.

    Step 10: Automate Periodic Scans

    Automating periodic scans help identify when new CVEs appear that put your application at risk.

    Simply paste the earlier command into an automated build system to
    generate reports on a regular cadence.

    contrast-cli --yamlPath scan.yaml