dependency-check / azuredevops Goto Github PK

View Code? Open in Web Editor NEW

43.0 10.0 26.0 23.61 MB

Dependency Check Azure DevOps Extension

License: Apache License 2.0

CSS 1.03% PowerShell 13.80% TypeScript 82.55% JavaScript 2.62%

azure-devops owasp dependency-check

azuredevops's People

Contributors

Stargazers

Watchers

azuredevops's Issues

Custom Installer Repository Support

New field for Dependency Check installer location that can override the default pull from GH releases.

Dependency Check Versions File Management

We started having an issue last week when a team bumped their version of OWASP Dependency Check on our Azure DevOps pipeline. We were getting an error with the CPE analyzer because it failed initializer. Investigating the issue, we've discovered that when upgrading the Dependency Check version to be downloaded, all the pre-existing library and new library will be kept in the same folder and it cause an issue because some libraries were confused on with version to use.

I suggest keeping each version in a separated folder or cleaning the path where the archive will get decompressed.

TypeScript Extension Conversion

Convert the extension from PS ---> TypeScript to run on both Windows and Ubuntu build agents.

6.0.3 version

this installs 6.0.2, how can we get this release? https://github.com/jeremylong/DependencyCheck/releases/tag/v6.0.3

download from github stop (proxy?)

We use a webproxy to connect to the internet.
I added to the arguments:
--proxyserver "myproxy" --proxyport "myport"

but when I use the extension it writes in the log:
Downloading Dependency Check latest installer from GitHub

and doesn't proceed.

Looks to me that proxy configuration is not used.

Check installed version of Dependency-Check before fetch new one

Stop fetching OWASP Dependency-Check from GitHub at each build when version parameter is specified to improve performance and reduce unnecessary network traffic.

Reduce Extension Size

Remove the artifacts from the extension bundle. Instead, pull the installer artifacts dynamically from bintray and extract on the build agent during execution.

This will add a few seconds to process, however eliminate tons of people asking questions about how to increase the extension file limit - thanks MS :(

Invoke-WebRequest "https://dl.bintray.com/jeremy-long/owasp/dependency-check-5.3.2-release.zip" -OutFile "dependency-check-5.3.2-release.zip"

Data File Caching: Configurable File Location

I can no longer host the cached dependency check files to support the ecosystem. Traffic has become large enough, it is time for folks to host their own data cache files.

Adding 2 new fields to the extension:

Data Mirror: JSON Repository
Data Mirror: ODC Database

These files can be pulled from the URL provided and will be loaded into the extension's data directory.

.NET AssemblyAnalyzer Error

The follow error is shown when running the dependency-check task on a DotNet Core project on a Windows Azure DevOps Hosted agent:

[ERROR] Could not execute .NET AssemblyAnalyzer

I added the following additional argument and it did not help:

--dotnet C:\hostedtoolcache\windows\dotnet\dotnet.exe

By default download latest 6.x version of OWASP check

Currently task downloads version 6.0.2 which is quite old (Released Sep 2020). Latest release is 6.1.1 and even the task runner complaints that we should upgrade the version:

[WARN] A new version of dependency-check is available. Consider updating to version 6.1.1.

My suggestion:

By default download always latest 6.x version (Version 7 may contain breaking changes)
Support specific version selection in current form

Does this require java to run?

No junit report in TestResult

I can't generate the junit xml report in the TestResult folder in order to publish it into the Test tab. The only file generated is the html report even if I specify multiple formats

Here is my pipeline configuration:

- task: dependency-check-build-task@6
  displayName: 'OWASP Dependency Check'
  inputs:
    projectName: 'MyProject'
    scanPath: '**/*.csproj'
    excludePath: 'Tests/'
    format: 'HTML,JSON,JUNIT'
#    reportsDirectory: '$(Common.TestResultsDirectory)/dependency-check' 

- task: PublishTestResults@2
  inputs:
    testResultsFormat: 'JUnit'
    testResultsFiles: 'dependency-check/*junit.xml'
    searchFolder: '$(Common.TestResultsDirectory)'
    testRunTitle: 'Dependency Check'

but in the output log I see:

Dependency Check completed with exit code 0.
Dependency Check reports:
[ 'D:\\a\\1\\TestResults\\dependency-check\\dependency-check-report.html' ]
##[debug]Attachments:
##[debug]Attachment name: dependency-check-report%2Ehtml
##[debug]Attachment path: D:\a\1\TestResults\dependency-check\dependency-check-report.html
##[debug]Attachment type: .html
Ending Dependency Check...
Async Command Start: Upload Artifact
Uploading 1 files
File upload succeed.
Upload 'D:\a\1\TestResults\dependency-check\dependency-check-report.html' to file container: '#/5768340/dependency-check'

ExecutionException/NullPointer with OWASP Engine to be aware of - impacting v6.1.5 engine

We are impacted by this issue and because the NVD CVE database is downloaded each time our Azure pipeline runs, the temporary fix suggested here jeremylong/DependencyCheck#3306, adding:

additionalArguments: '--noupdate'

will not work.

I know this issue is being worked on, just wanted this community to know about it. Once it's resolved, I'll be sure to close this issue.

scanPath Bug - Quote Full Path

I have multiple csproj files under a src path for our solution, but need to be specific about which csproj files need to be dependency checked. I see that the dependency-check tool supports multiple scan paths so this works fine to scan both the csproj for proj.web and proj.service:

dependency-check --project Project01 --scan /code/proj01/src/proj.web/*.csproj --scan /code/proj01/src/proj.service/*.csproj --out ./TestResults/dependency-check --format HTML --failOnCVSS 8 --log ./TestResults/dependency-check/log

However, I can't specify scanPath twice in my pipeline:

    steps:
      - task: dependency-check-build-task@6
        displayName: "OWASP Dependency Check"
        inputs:
          projectName: 'Project01'
          scanPath: '**/proj.web/*.csproj'
          scanPath: '**/proj.service/*.csproj'
          ...

Azure pipeline returns:
/azure-pipelines.yml (Line: 16, Col: 11): 'scanPath' is already defined

I want to run multiple scans to optimize dependency check time, rather than creating a task for each csproj.

on-premise installation error

I currently have an on-premise installation of Azure DevOps. The solution was originally a TFS 2012 that was upgraded to TFS 2018. Then in August 2019 I updated the installation to Azure DevOps and have not had any issues with functionality or plugins. However, when I try to load the OWASP Dependency-Check. I get an error "Permission section could not be loaded. Please see image attached. Thanks

--exclude not working & can't use it multiple times

Hi, I think the --exclude option is not working.

I have the following directory structure after git checkout :
s/
-- changelogs
-- tests
-- src
-- helper
-- some other files and directories

This is the YAML Task
`

task: dependency-check-build-task@6
displayName: "Dependency-Check 3 Party Analysis"
inputs:
projectName: 'Project1'
scanPath: '$(Agent.BuildDirectory)/s/'
excludePath: '/tests/**'
format: 'HTML'
failOnCVSS: '7'
suppressionPath: 'suppress.xml'
warnOnCVSSViolation: true
`

Although I am trying to exclude tests I am still getting these files Paths
_/home/vsts/work/1/s/tests/E2E.Cypress/package-lock.json?lodash_

and

[WARN] Analyzing `/home/vsts/work/1/s/tests/E2E.Cypress/package-lock.json` - however, the node_modules directory does not exist. Please run `npm install` prior to running dependency-check
[WARN] Analyzing `/home/vsts/work/1/s/changelogs/validation/package-lock.json` - however, the node_modules directory does not exist. Please run `npm install` prior to running dependency-check

Command used in job is:
`
Path: /home/vsts/work/_tasks/dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72/6.0.4/dependency-check/bin/dependency-check.sh
Arguments: --project "Backend" --scan "/home/vsts/work/1/s/" --out "/home/vsts/work/1/TestResults/dependency-check" --exclude "/tests/**" --format HTML --failOnCVSS 7 --suppression "/home/vsts/work/1/s/suppress.xml"

Using the same commands on my workstation (Windows System) :

.\dependency-check.bat -s "C:\Backend" --exclude "/tests/**" works without problems.

I can also use the --exclude command multiple times, for example to remove also changelogs folder from the path

--exclude "/tests/" --exclude "/changelogs/"

Cannot use the excludePath multiple Times in YAML due to key problems...

EDIT: I can use the Extra Arguments Field and it works with multiple exclude arguments or only one!

CVE Data Caching

Right now, the job takes several minutes because it executes on a clean agent with no data files. We can't include these in the installer because it takes the installer over 100MB compressed, which exceeds our cap.

Option 1: Can / should we host these files in an Azure Blob close to the source? Should make for a very quick pull from Azure Storage onto the build agent versus downloading from MITRE. Then, it would be easy to write an Azure function to auto-update the files every night to keep them fresh. Any reason these files can't be a publicly accessible blob?

Option 2: ????

@jeremylong

Specify reports output path?

I tried to specify the output path of the reports using the --out argument of Dependency Check. I've added it to the "Additional Arguments" section of the task, but the reports were still uploaded to the default location (under test results). Any plan to support custom output location for the reports?

Thanks,

Documentation: Azure DevOps Server 2019 On-premise Install Steps

Describe the bug
I cannot install the OWASP Dependency Check Azure DevOps Server Extension.

Version of dependency-check used
Azure DevOps Extension 5.2.1.2

To Reproduce
Steps to reproduce the behavior:

Go to your on-premise Azure DevOps Server 2019 Update 1 (version 17.M153.5) root website
Click on "Browse Marketplace" in the upper right corner
Search the "OWASP Dependency Check" Plugin in the Azure DevOps Marketplace https://marketplace.visualstudio.com/items?itemName=dependency-check.dependencycheck
Click on "Get it free"
An error is displayed: "We've encountered an error while downloading the extension. Please try again later."

Expected behavior
The extension installs an our local Azure DevOps Server.
or
The extension does not list "Azure DevOps Server 2019" as compatible installation target. (less prefered behavior)

Additional context

Other extensions install just fine
When downloading the vsix-Extension file and uploading it manually to the local Azure DevOps Server Extension Gallery, the following message is displayed:
I found the following thread in which Microsoft states, that the extension size is limited to 25 Mb. The OWASP-Extension is approx. 36MB. The extension package size exceeds the maximum package size '26214400 bytes'

Specify Dependency Check Install Location

By default, the extension downloads the dep check and extracts the installer files on the fly.

Add a new install location field to the extension which allows people to specify a location on a self-hosted agent. If the field is specified, the extension will not download the extension and rely the the user to install out of band.

Support task on Linux Agents

Dependency Check task currently is only supported on Windows Agents
Feature requested to support Linux Agents

MVP: Base Extension / Scan Settings

Create an Azure DevOps extension with the following features:

Update vulnerability data
Perform scan on a given artifact
Add reports to build artifacts

Integrate in Azure DevOps Server

I set up my C++ project with cmake.
How can I set the Scan path? When I set it as the build folder, the report contains nothing.
I use OWASP version 6.
Thank you

Size Limit when installing on TFS 2018 Server

Copied from VSMarketplace:

Jeffrey Rempel: How do you install this on a TFS 2018 on-premise server? I try to upload the extension however I get an error stating "The files being added total 35.7 MB which exceeds the maximum total size allowed to be uploaded (25 MB)."

Send Report from build Pipeline to sonarqube

How do i configure the Extension to send the Reports to my Sonarqube instance that is running the dependency-check Plugin?

Dependency check fails with exit code 242 since 5.3.2 version

Hi,

We only recently added this to our build pipeline and all was working find on version 5.3.0, but doesn't appear to work any more with 5.3.2.

Here's the step from our azure-pipelines.yaml:

- task: OWASPDependencyCheck@0
  displayName: OWASP Dependency Check
  inputs:
    outputDirectory: '$(Agent.TempDirectory)/dependency-scan-results'
    scanDirectory: '$(Build.SourcesDirectory)'
    outputFormat: 'ALL'
    useSonarQubeIntegration: true

And here's the log file:
owasp-dependency-check-5-3-2-error.log

Please let me know if I can try something or provide any further information.

Add Version Field

New option field for specifying the installer version for the automatic download on cloud-hosted agents.

Dependency Check Download Failure

Downloading Dependency Check installer appears to be failing on local Azure DevOps agents. Adding the -Force parameter may fix this.

##[error]System.IO.IOException: Failed to create file 'E:\MyPool\AGENT2\_work\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\5.3.2001\dependency-check\bin\dependency-check.sh' while expanding the archive file 'E:\MyPool\AGENT2\_work\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\5.3.2001\dependency-check-5.3.2-release.zip' contents as the file 'E:\MyPool\AGENT2\_work\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\5.3.2001\dependency-check\bin\dependency-check.sh' already exists. Use the -Force parameter if you want to overwrite the existing directory 'E:\MyPool\AGENT2\_work\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\5.3.2001\dependency-check\bin\dependency-check.sh' contents when expanding the archive file.
Ending Dependency Check..."

agent proxy settings are not picked up

This is likely a feature request.
We use this extension on Azure DevOps Server 2019 Update 1 on-premise behind a HTTP proxy.
Our Agent was configured using this documentation: Run a self-hosted agent behing a web proxy

This extension does not pickup the configured proxy settings. Our current workaround is to use "Additional Arguments" to configure the settings as described here.

It seems like extensions can use the configured proxy settings by calling Get-VstsWebProxy.
Get proxy configuration by using AZURE-DEVOPS-TASK-LIB method

I can try and create a PR for this, if you prefer.

Java Not Found

Submitted from Marina Radcke:

Running the task using a Windows Server 2019 agent leads to the error:

'java' is not recognized as an internal or external command, operable program or batch file.

I get the same error when running the dependency-check.bat file (downloaded from OWASP) in a Command-Line task. Java is installed, running java -version in Command Prompt shows the version, and running dependency-check.bat directly on the server is working, too.

[Bug] Adding parameters

Hi,
When you specify additionalArguments such as cveUrls in the task (for workaround purpose here) then the generated command fails :
C:\Windows\system32\cmd.exe /D /S /C "D:\a\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\6.0.2\dependency-check\bin\dependency-check.bat --project "MyProjetct" --scan D:\a\1\s --out D:\a\1\TestResults\dependency-check --format JUNIT --cveUrlModified "https://freedumbytes.gitlab.io/setup/nist-nvd-mirror/nvdcve-1.1-modified.json.gz --cveUrlBase" https://freedumbytes.gitlab.io/setup/nist-nvd-mirror/nvdcve-1.1-%d.json.gz"

Here was the task configuration :
additionalArguments: '--cveUrlModified https://freedumbytes.gitlab.io/setup/nist-nvd-mirror/nvdcve-1.1-modified.json.gz --cveUrlBase https://freedumbytes.gitlab.io/setup/nist-nvd-mirror/nvdcve-1.1-%d.json.gz

Thanks for help

Summary / Details Screen

Set up a new table on the summary screen that shows the high level scan data. Set up a details tab that shows the full report.

Permission section could not be loaded

Hi, I was pretty excited to learn about your extension. However, when I try to install it on our on-premises Azure DevOps 2019.Update 1 (17.153.29207.5) server, I get this error message; "We've encountered an error while downloading the extension. Please try again later." on the side panel I see: "Permission section could not be loaded", which I suspect is the root issue. (screenshot attached)

I've confirmed that I can install other extensions and I can pull down the VSIX directly (without going through the Azure DevOps extension install pages). Unfortunately, with 2019, I no longer have the option to upload an extension, so I'm not able to get past this. I'd appreciate any suggestions.

Cannot customize the output directory for test result.

I have found that whatever will be configured in task definition for OWASP DC in _outputDirectory_ parameter it is not taken into consideration when test results are created. The results are always created in D:\a\1\TestResults\dependency-check.

After that I am unable to reach this directory when trying to Publish the results with JUnit publisher. Configuration of Publish task is like this:searchFolder: '$(System.DefaultWorkingDirectory)\TestResults\dependency-check\' but it is transformed to path like this ##[debug]adjustedPattern: 'D:\a\1\s\TestResults\dependency-check\*junit.xml'

Is the outputdirectory paramater somehow ingnored?

Update Download Links - New Version of ODC

I know this should be a PR... A new version of ODC was released - in addition we would prefer users to download the CLI from the github release rather than bintray due to bandwidth restrictions.

Please update:

azuredevops/build/data-cache/data-cache.sh

Line 9 in 7580de2

    
           curl -sLo ./dependency-check-$VERSION-release.zip https://dl.bintray.com/jeremy-long/owasp/dependency-check-$VERSION-release.zip

To point to the GitHub release to avoid capacity issues at bintray:

curl -sLo ./dependency-check-$VERSION-release.zip https://github.com/jeremylong/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip"

Additionally, update:

azuredevops/src/Tasks/dependency-check-build-task/dependency-check-build-task.ps1

Lines 119 to 120 in 360d647

    
           Invoke-WebRequest "https://dl.bintray.com/jeremy-long/owasp/dependency-check-5.3.2-release.zip" -OutFile "dependency-check-5.3.2-release.zip" 
        
           Expand-Archive -Path dependency-check-5.3.2-release.zip -DestinationPath . -Force

To:

Invoke-WebRequest "https://github.com/jeremylong/DependencyCheck/releases/download/v6.0.2/dependency-check-6.0.2-release.zip" -OutFile "dependency-check-6.0.2-release.zip" 
Expand-Archive -Path dependency-check-6.0.2-release.zip -DestinationPath . -Force

Proxy

Hi,

We use a web proxy to filter requests to internet.

As described in the documentation, I'have opened URL to https://nvd.nist.gov

But when I launch the tool, a request is sent to dependencycheck.sec540.com.

So I do not understand which Urls to open.

Installer Download Fails

@jeremylong This error seems to be popping up today downloading the latest installer. I noticed this in brew as well as the extension. Any ideas?

https://dl.bintray.com/jeremy-long/owasp/dependency-check-5.3.2-release.zip

RE: null leading to StackOverflowError #1969 - on Azure DevOps?

Dear Jeremy,

I'm running into the issue jeremylong/DependencyCheck#1969 on Azure Devops:

[ERROR] An error occured trying to analyze icefaces-ace-3.1.0.jar: jquery-ui.js. To resolve this error please try increasing the Java stack size to 8mb and re-run dependency-check:

Unfortunately I have no clue how to increase stack size as there is no option to do that with the dependency-check-build-task@5:

task: dependency-check-build-task@5
inputs:
projectName: 'ISP-1519-EEG'
enableVerbose: true
scanPath: '$(Build.SourcesDirectory)'
format: 'HTML'

Kind regards
Tom

Dependency check process failed with exit code 1

I'm trying to run the latest release of your extension using a linux (ubuntu) build agent in Azure DevOps to analyze a .NET 5.0 application. This is the error I was seeing:
##[error]The process '/home/vsts/work/_tasks/dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72/6.0.2/dependency-check/bin/dependency-check.sh' failed with exit code 1

My pipeline yaml:

      - task: dependency-check-build-task@6
        displayName: 'OWASP Dependency Check'
        inputs:
          projectName: 'Project01'
          scanPath: '**/*.csproj'
          format: 'ALL'
          failOnCVSS: '8'
          enableVerbose: true

I realized the issue was that I configured an incorrect scanPath. Once I updated that to the correct location of the csproj, it worked perfectly. I closed this issue, but am hoping this post might be helpful to others if they see this error message and are not sure of one possible cause.

How to output two file formats, not all (With YAML pipeline)

Is it possible to output only two file types instead of all?

Allow multiple --exclude

Current task is limited to one --exclude parameter. Can't it use a multi-line list or do a split on a delimiter?

I can only think of one workaround: deleting files / directory that need to be excluded.

Default Report Format

If you don't select a default report format, the scan fails because the default is html instead of HTML.

Question: Design/Documentation on how it works?

Hi,
Is there documentation on how the scanning works on a high level? E.g. is the code send over to a server somewhere on the internet?
Would like to better understand as the company I work for is considering using this extension. But before that happens, we need a better understanding of how it works.

Database caching for Azure Pipelines

We have an Azure DevOps setup where there are two self-hosted VMs running 16 agents. The default behavior is to store the databases in C:\agent_work[number]\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\[version]\dependency-check\data. This means we have 16 copies of the database across those 2 VMs. When the default 4 hour window for NVD is crossed, 16 builds have to pay a penalty to check for updates (takes like 8 minutes!), and there's other database maintenance tasks that feel like they are happening too much.

Aside from tweaking arguments like cveValidForHours, is there anything we can do either with dependency-check or Azure Pipelines to limit builds throughout the day from experiencing large wait times. For example, can we move to one database per VM, but then is that safe from a concurrency perspective with 8 agents running per VM?

Support Mac OS Agents

From the marketplace:

arnaud.debock on 30-Apr-2021:
Hi,

There seems to be problem with the task running on Mac agents. The task will only check the OS for Linux or Windows. Therefore, it tries to launch the "_work/_tasks/dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72/6.0.2/dependency-check/bin/dependency-check.bat" file which is not usable on Mac. Can you update the task by adding a test with Agent.OS equals to Darwin?

Java not found - exit code 9009

I'm trying to add this as a step in one of our Azure DevOps deployments. However, it keeps failing with " 'java' is not recognized as an internal or external command":

2020-09-22T12:48:21.2708345Z ==============================================================================
2020-09-22T12:48:21.2709349Z Task         : OWASP Dependency Check
2020-09-22T12:48:21.2711297Z Description  : Dependency Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project's dependencies.
2020-09-22T12:48:21.2712627Z Version      : 5.3.2003
2020-09-22T12:48:21.2713304Z Author       : Dependency Check
2020-09-22T12:48:21.2714342Z Help         : [More Information](https://jeremylong.github.io/DependencyCheck/index.html)
2020-09-22T12:48:21.2715497Z ==============================================================================
2020-09-22T12:48:23.4445503Z Starting Dependency Check...
2020-09-22T12:48:23.6401335Z Downloading Dependency Check installer...
2020-09-22T12:48:33.2340098Z Invoking Dependency Check...
2020-09-22T12:48:33.2400801Z Path: C:\azagent\A1\_work\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\5.3.2003\dependency-check\bin\dependency-check.bat
2020-09-22T12:48:33.2418414Z Arguments: --project "Web" --scan "C:\azagent\A1\_work\r1\a\**\*.csproj" --out "\dependency-check" --exclude "C:\azagent\A1\_work\r1\a" --format HTML --failOnCVSS 8 --suppression "C:\azagent\A1\_work\r1\a"
2020-09-22T12:48:33.3286473Z 'java' is not recognized as an internal or external command,
2020-09-22T12:48:33.3287988Z operable program or batch file.
2020-09-22T12:48:34.2890567Z Dependency Check completed with exit code 9009.
2020-09-22T12:48:34.2907107Z Dependency check reports:
2020-09-22T12:48:34.4252429Z ##[error]Dependency Check exited with an error code.
2020-09-22T12:48:34.4493346Z Ending Dependency Check...
2020-09-22T12:48:34.4957837Z ##[section]Finishing: Dependency Check

I found this issue which is the same scenario (we're running this on our own build server running Windows Server 2019). I downloaded the Java runtime (I've tried this with both the 64-bit version and, when that didn't work, I uninstalled it and installed the 32-bit version). In both cases I went into System Properties > Advanced > Environment Variables and configured the System variables.

I created these two settings:

JAVA_HOME   C:\PROGRA~2\Java\jre1.8.0_261
JAVACMD     C:\PROGRA~2\Java\jre1.8.0_261\bin

I also tried adding the jre1.8.0_261\bin folder to the path.

But when I redeploy it still fails with the same error. I'm not quite sure what else to try.

v5.3.2 Update

Need to upgrade the dependency check exec to v5.2.4.

Invoke-WebRequest causes SSL/TLS error

Upon installing the extension and running it, I get the following error:

Downloading Dependency Check vulnerability data... ##[error]System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel. at Microsoft.PowerShell.Commands.WebRequestPSCmdlet.GetResponse(WebRequest request) at Microsoft.PowerShell.Commands.WebRequestPSCmdlet.ProcessRecord() Ending Dependency Check...

Error running dependency-check-build-task against dotnet 5 application

After upgrading our applications to dotnet 5 we get errors when running dependency-check-build-task against our application.

It looks like this issue is already resolved upstream: jeremylong/DependencyCheck#3306

Is it possible to upgrade this dependency to a version witch includes these patches?

YAML File

  - task: dependency-check-build-task@5
    inputs:
      projectName: 'Base'
      scanPath: 'src/**/*.csproj'
      format: 'HTML, JSON, JUNIT'
      failOnCVSS: '8'
      additionalArguments: '--suppression $(System.DefaultWorkingDirectory)/src/Api/suppressions.xml'

Log

2021-05-09T12:07:27.7483760Z ##[section]Starting: dependencycheckbuildtask
2021-05-09T12:07:27.7506414Z ==============================================================================
2021-05-09T12:07:27.7506732Z Task         : OWASP Dependency Check
2021-05-09T12:07:27.7507181Z Description  : Dependency Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project's dependencies.
2021-05-09T12:07:27.7507601Z Version      : 5.6.3
2021-05-09T12:07:27.7507796Z Author       : Dependency Check
2021-05-09T12:07:27.7508105Z Help         : [More Information](https://jeremylong.github.io/DependencyCheck/index.html)
2021-05-09T12:07:27.7508472Z ==============================================================================
2021-05-09T12:07:30.2792488Z Starting Dependency Check...
2021-05-09T12:07:30.3360791Z Setting report directory to C:\azp\agent\_work\129\TestResults\dependency-check
2021-05-09T12:07:30.3377520Z Creating report directory at C:\azp\agent\_work\129\TestResults\dependency-check
2021-05-09T12:07:30.3952944Z 
2021-05-09T12:07:30.3990258Z 
2021-05-09T12:07:30.4072712Z     Directory: C:\azp\agent\_work\129\TestResults
2021-05-09T12:07:30.4073554Z 
2021-05-09T12:07:30.4073939Z 
2021-05-09T12:07:30.4150957Z Mode                 LastWriteTime         Length Name                                                                 
2021-05-09T12:07:30.4159664Z ----                 -------------         ------ ----                                                                 
2021-05-09T12:07:30.4184100Z d-----          5/9/2021   2:07 PM                dependency-check                                                     
2021-05-09T12:07:30.4422467Z Downloading Dependency Check v6.0.2 installer from GitHub...
2021-05-09T12:07:35.1012399Z Dependency Check installer set to C:\azp\agent\_work\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\5.6.3\dependency-check\bin\dependency-check.bat
2021-05-09T12:07:35.1022797Z Invoking Dependency Check...
2021-05-09T12:07:35.1029762Z Path: C:\azp\agent\_work\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\5.6.3\dependency-check\bin\dependency-check.bat
2021-05-09T12:07:35.1036140Z Arguments: --project "Base" --scan "C:\azp\agent\_work\129\s\src\**\*.csproj" --out "C:\azp\agent\_work\129\TestResults\dependency-check" --format HTML --format  JSON --format  JUNIT --failOnCVSS 8 --suppression C:\azp\agent\_work\129\s/src/Api/suppressions.xml
2021-05-09T12:07:35.6397777Z Dependency-Check Core version 6.0.2
2021-05-09T12:07:45.5061357Z [INFO] Checking for updates
2021-05-09T12:07:55.1135280Z [INFO] NVD CVE requires several updates; this could take a couple of minutes.
2021-05-09T12:07:55.1178119Z [INFO] Download Started for NVD CVE - 2002
2021-05-09T12:07:55.1178685Z [INFO] Download Started for NVD CVE - 2003
2021-05-09T12:07:56.2136674Z [INFO] Download Complete for NVD CVE - 2003  (1094 ms)
2021-05-09T12:07:56.2138065Z [INFO] Download Started for NVD CVE - 2004
2021-05-09T12:07:56.2142760Z [INFO] Processing Started for NVD CVE - 2003
2021-05-09T12:07:56.2680181Z WARNING: An illegal reflective access operation has occurred
2021-05-09T12:07:56.2681364Z WARNING: Illegal reflective access by com.fasterxml.jackson.module.afterburner.util.MyClassLoader (file:/C:/azp/agent/_work/_tasks/dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72/5.6.3/dependency-check/lib/jackson-module-afterburner-2.11.2.jar) to method java.lang.ClassLoader.findLoadedClass(java.lang.String)
2021-05-09T12:07:56.2682533Z WARNING: Please consider reporting this to the maintainers of com.fasterxml.jackson.module.afterburner.util.MyClassLoader
2021-05-09T12:07:56.2683253Z WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
2021-05-09T12:07:56.2683791Z WARNING: All illegal access operations will be denied in a future release
2021-05-09T12:07:56.8450820Z [INFO] Download Complete for NVD CVE - 2002  (1734 ms)
2021-05-09T12:07:56.8585462Z [INFO] Download Started for NVD CVE - 2005
2021-05-09T12:07:56.8897668Z [INFO] Processing Started for NVD CVE - 2002
2021-05-09T12:07:57.4162151Z [INFO] Download Complete for NVD CVE - 2004  (1197 ms)
2021-05-09T12:07:57.4983966Z [INFO] Download Started for NVD CVE - 2006
2021-05-09T12:07:58.1356793Z [INFO] Download Complete for NVD CVE - 2005  (1281 ms)
2021-05-09T12:07:58.1580793Z [INFO] Download Started for NVD CVE - 2007
2021-05-09T12:07:59.1495820Z [INFO] Download Complete for NVD CVE - 2006  (1604 ms)
2021-05-09T12:07:59.2032454Z [INFO] Download Started for NVD CVE - 2008
2021-05-09T12:08:00.9835663Z [INFO] Download Complete for NVD CVE - 2008  (1790 ms)
2021-05-09T12:08:00.9836492Z [INFO] Download Started for NVD CVE - 2009
2021-05-09T12:08:01.1132409Z [INFO] Download Complete for NVD CVE - 2007  (2961 ms)
2021-05-09T12:08:01.1138952Z [INFO] Download Started for NVD CVE - 2010
2021-05-09T12:08:01.7689044Z [INFO] Processing Complete for NVD CVE - 2003  (5440 ms)
2021-05-09T12:08:01.7817257Z [INFO] Processing Started for NVD CVE - 2004
2021-05-09T12:08:02.6350837Z [INFO] Download Complete for NVD CVE - 2009  (1641 ms)
2021-05-09T12:08:02.6527667Z [INFO] Download Started for NVD CVE - 2011
2021-05-09T12:08:02.9303732Z [INFO] Download Complete for NVD CVE - 2010  (1828 ms)
2021-05-09T12:08:02.9342305Z [INFO] Download Started for NVD CVE - 2012
2021-05-09T12:08:04.8819033Z [INFO] Download Complete for NVD CVE - 2012  (1932 ms)
2021-05-09T12:08:04.8820029Z [INFO] Download Started for NVD CVE - 2013
2021-05-09T12:08:04.8820469Z [INFO] Download Complete for NVD CVE - 2011  (2225 ms)
2021-05-09T12:08:04.9092598Z [INFO] Download Started for NVD CVE - 2014
2021-05-09T12:08:06.6261142Z [INFO] Download Complete for NVD CVE - 2013  (1745 ms)
2021-05-09T12:08:06.6267376Z [INFO] Download Started for NVD CVE - 2015
2021-05-09T12:08:07.2699419Z [INFO] Processing Complete for NVD CVE - 2004  (5591 ms)
2021-05-09T12:08:07.2700394Z [INFO] Processing Started for NVD CVE - 2005
2021-05-09T12:08:07.2904976Z [INFO] Download Complete for NVD CVE - 2014  (2379 ms)
2021-05-09T12:08:07.2906195Z [INFO] Download Started for NVD CVE - 2016
2021-05-09T12:08:08.0501391Z [INFO] Processing Complete for NVD CVE - 2002  (11047 ms)
2021-05-09T12:08:08.0999646Z [INFO] Processing Started for NVD CVE - 2006
2021-05-09T12:08:08.1000386Z [INFO] Download Complete for NVD CVE - 2015  (1475 ms)
2021-05-09T12:08:08.1760950Z [INFO] Download Started for NVD CVE - 2017
2021-05-09T12:08:08.7198105Z [INFO] Download Complete for NVD CVE - 2016  (1439 ms)
2021-05-09T12:08:08.7215216Z [INFO] Download Started for NVD CVE - 2018
2021-05-09T12:08:10.7160917Z [INFO] Download Complete for NVD CVE - 2017  (2542 ms)
2021-05-09T12:08:10.7173425Z [INFO] Download Started for NVD CVE - 2019
2021-05-09T12:08:11.2426727Z [INFO] Download Complete for NVD CVE - 2018  (2521 ms)
2021-05-09T12:08:11.2702719Z [INFO] Download Started for NVD CVE - 2020
2021-05-09T12:08:12.6490268Z [INFO] Download Complete for NVD CVE - 2019  (1932 ms)
2021-05-09T12:08:12.6491654Z [INFO] Download Started for NVD CVE - 2021
2021-05-09T12:08:14.0745689Z [INFO] Download Complete for NVD CVE - 2021  (1426 ms)
2021-05-09T12:08:15.4127499Z [INFO] Processing Complete for NVD CVE - 2005  (8166 ms)
2021-05-09T12:08:15.4128228Z [INFO] Processing Started for NVD CVE - 2008
2021-05-09T12:08:17.9381007Z [INFO] Download Complete for NVD CVE - 2020  (6679 ms)
2021-05-09T12:08:21.1492548Z [INFO] Processing Complete for NVD CVE - 2006  (13231 ms)
2021-05-09T12:08:21.1493349Z [INFO] Processing Started for NVD CVE - 2007
2021-05-09T12:08:29.3665901Z [INFO] Processing Complete for NVD CVE - 2008  (13943 ms)
2021-05-09T12:08:29.3666709Z [INFO] Processing Started for NVD CVE - 2009
2021-05-09T12:08:34.4975420Z [INFO] Processing Complete for NVD CVE - 2007  (13350 ms)
2021-05-09T12:08:34.4976183Z [INFO] Processing Started for NVD CVE - 2010
2021-05-09T12:08:44.2600146Z [INFO] Processing Complete for NVD CVE - 2009  (14890 ms)
2021-05-09T12:08:44.2743349Z [INFO] Processing Started for NVD CVE - 2012
2021-05-09T12:08:52.5767225Z [INFO] Processing Complete for NVD CVE - 2010  (18070 ms)
2021-05-09T12:08:52.5808645Z [INFO] Processing Started for NVD CVE - 2011
2021-05-09T12:09:08.2815293Z [INFO] Processing Complete for NVD CVE - 2012  (23997 ms)
2021-05-09T12:09:08.2822036Z [INFO] Processing Started for NVD CVE - 2013
2021-05-09T12:09:12.8072992Z [INFO] Processing Complete for NVD CVE - 2011  (20232 ms)
2021-05-09T12:09:12.8074134Z [INFO] Processing Started for NVD CVE - 2014
2021-05-09T12:09:27.6574716Z [INFO] Processing Complete for NVD CVE - 2013  (19401 ms)
2021-05-09T12:09:27.6705731Z [INFO] Processing Started for NVD CVE - 2015
2021-05-09T12:09:32.9432801Z [INFO] Processing Complete for NVD CVE - 2014  (20148 ms)
2021-05-09T12:09:32.9433497Z [INFO] Processing Started for NVD CVE - 2016
2021-05-09T12:09:37.1818183Z [INFO] Processing Started for NVD CVE - 2017
2021-05-09T12:09:40.9740333Z [INFO] Processing Complete for NVD CVE - 2015  (13311 ms)
2021-05-09T12:09:40.9740804Z [INFO] Processing Started for NVD CVE - 2018
2021-05-09T12:09:54.7723632Z [INFO] Processing Complete for NVD CVE - 2017  (17593 ms)
2021-05-09T12:09:54.7724412Z [INFO] Processing Started for NVD CVE - 2019
2021-05-09T12:09:59.2873019Z [INFO] Processing Complete for NVD CVE - 2018  (18331 ms)
2021-05-09T12:09:59.3031893Z [INFO] Processing Started for NVD CVE - 2021
2021-05-09T12:09:59.7428943Z [INFO] Processing Started for NVD CVE - 2020
2021-05-09T12:10:10.2897280Z [INFO] Processing Complete for NVD CVE - 2019  (15519 ms)
2021-05-09T12:10:10.2915919Z [ERROR] java.util.concurrent.ExecutionException: java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because the return value of "org.owasp.dependencycheck.data.nvd.json.DefCpeMatch.getCpe23Uri()" is null
2021-05-09T12:10:10.2917069Z org.owasp.dependencycheck.data.update.exception.UpdateException: java.util.concurrent.ExecutionException: java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because the return value of "org.owasp.dependencycheck.data.nvd.json.DefCpeMatch.getCpe23Uri()" is null
2021-05-09T12:10:10.2919514Z 	at org.owasp.dependencycheck.data.update.NvdCveUpdater.performUpdate(NvdCveUpdater.java:298)
2021-05-09T12:10:10.2922418Z 	at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:125)
2021-05-09T12:10:10.2922983Z 	at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:855)
2021-05-09T12:10:10.2923506Z 	at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:662)
2021-05-09T12:10:10.2924039Z 	at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:592)
2021-05-09T12:10:10.2924510Z 	at org.owasp.dependencycheck.App.runScan(App.java:254)
2021-05-09T12:10:10.2924954Z 	at org.owasp.dependencycheck.App.run(App.java:186)
2021-05-09T12:10:10.2927707Z 	at org.owasp.dependencycheck.App.main(App.java:81)
2021-05-09T12:10:10.2928444Z Caused by: java.util.concurrent.ExecutionException: java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because the return value of "org.owasp.dependencycheck.data.nvd.json.DefCpeMatch.getCpe23Uri()" is null
2021-05-09T12:10:10.2960628Z 	at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
2021-05-09T12:10:10.2961229Z 	at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
2021-05-09T12:10:10.2961789Z 	at org.owasp.dependencycheck.data.update.NvdCveUpdater.performUpdate(NvdCveUpdater.java:288)
2021-05-09T12:10:10.2966594Z 	... 7 common frames omitted
2021-05-09T12:10:10.2967277Z Caused by: java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because the return value of "org.owasp.dependencycheck.data.nvd.json.DefCpeMatch.getCpe23Uri()" is null
2021-05-09T12:10:10.2968060Z 	at org.owasp.dependencycheck.data.update.nvd.NvdCveParser.lambda$testCveCpeStartWithFilter$0(NvdCveParser.java:149)
2021-05-09T12:10:10.2968660Z 	at java.base/java.util.stream.MatchOps$1MatchSink.accept(MatchOps.java:90)
2021-05-09T12:10:10.2969191Z 	at java.base/java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1602)
2021-05-09T12:10:10.2969847Z 	at java.base/java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:127)
2021-05-09T12:10:10.2970512Z 	at java.base/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:502)
2021-05-09T12:10:10.2971009Z 	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:488)
2021-05-09T12:10:10.2971481Z 	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
2021-05-09T12:10:10.2971952Z 	at java.base/java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:230)
2021-05-09T12:10:10.2972650Z 	at java.base/java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:196)
2021-05-09T12:10:10.2973147Z 	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
2021-05-09T12:10:10.2973608Z 	at java.base/java.util.stream.ReferencePipeline.anyMatch(ReferencePipeline.java:528)
2021-05-09T12:10:10.2974111Z 	at org.owasp.dependencycheck.data.update.nvd.NvdCveParser.testCveCpeStartWithFilter(NvdCveParser.java:149)
2021-05-09T12:10:10.2974631Z 	at org.owasp.dependencycheck.data.update.nvd.NvdCveParser.parse(NvdCveParser.java:100)
2021-05-09T12:10:10.2975108Z 	at org.owasp.dependencycheck.data.update.nvd.ProcessTask.importJSON(ProcessTask.java:139)
2021-05-09T12:10:10.2975593Z 	at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles(ProcessTask.java:152)
2021-05-09T12:10:10.2976073Z 	at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:113)
2021-05-09T12:10:10.2976537Z 	at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:40)
2021-05-09T12:10:10.2976963Z 	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
2021-05-09T12:10:10.2977414Z 	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
2021-05-09T12:10:10.2977910Z 	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
2021-05-09T12:10:10.2978413Z 	at java.base/java.lang.Thread.run(Thread.java:832)
2021-05-09T12:10:11.0629791Z [ERROR] There was an error attempting to close the CveDB, see the log for more details.
2021-05-09T12:10:11.0630350Z [WARN] Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
2021-05-09T12:10:11.0630774Z [ERROR] Unable to continue dependency-check analysis.
2021-05-09T12:10:11.1893613Z [ERROR] One or more fatal errors occurred
2021-05-09T12:10:11.1894631Z [ERROR] java.util.concurrent.ExecutionException: java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because the return value of "org.owasp.dependencycheck.data.nvd.json.DefCpeMatch.getCpe23Uri()" is null
2021-05-09T12:10:11.1895297Z [ERROR] No documents exist
2021-05-09T12:10:11.9392672Z Dependency Check completed with exit code -13.
2021-05-09T12:10:11.9399520Z Dependency check reports:
2021-05-09T12:10:11.9802879Z ##[error]Dependency Check exited with an error code.
2021-05-09T12:10:11.9927767Z Ending Dependency Check...
2021-05-09T12:10:11.9928130Z 
2021-05-09T12:10:11.9928356Z 
2021-05-09T12:10:12.0357305Z ##[section]Finishing: dependencycheckbuildtask

Example Scan Path is Incorrect

I really appreciate this task! Thank you. I think I found the following issue with the example:

The example image shows the value **/*csproj:

Doesn't this mean scan the actual project file as a dependency rather than looking at all of the *.dlls used by the program? When I changed it to check the actual *.dlls, it found some vulnerable dependencies.

	Invoke-WebRequest "https://dl.bintray.com/jeremy-long/owasp/dependency-check-5.3.2-release.zip" -OutFile "dependency-check-5.3.2-release.zip"
	Expand-Archive -Path dependency-check-5.3.2-release.zip -DestinationPath . -Force

dependency-check / azuredevops Goto Github PK

azuredevops's People

Contributors

Stargazers

Watchers

Forkers

azuredevops's Issues

YAML File

Log

Recommend Projects

Recommend Topics

Recommend Org