Search code examples
azure-devopsdependenciesazure-pipelinesowaspazure-devops-extensions

azure-devops owasp plugin doesn't find dependencies

When I run mvn verify locally, against a java project. Owasp returns quite the list of found vulnerabilities. However when I do the same test in azure devops pipeline, with the owasp plugin, it returns 0 vulnerabilities. Both tests scan the top level of the directory.

The following Owasp plugin is enable in azure devops

The setup:

Azure Pipeline template

# owasp-dependency-check.yml@templates
parameters:
- name: scanDir
  default: $(System.DefaultWorkingDirectory)
  type: string

steps:
- task: OWASPDependencyCheck@0
  inputs:
    outputDirectory: '$(Agent.TempDirectory)/dependency-scan-results'
    scanDirectory: ${{ parameters.scanDir }}
    outputFormat: 'HTML'
    useSonarQubeIntegration: True
- task: PublishPipelineArtifact@1
  inputs:
    targetPath: '$(Agent.TempDirectory)'
    artifact: 'dependency-scan-results'
    publishLocation: 'pipeline'

Azure Pipeline

# azure-pipeline.yml
resources:
  repositories:
    - repository: templates
      type: git
      name: sandbox-reusable-tasks

stages:
  - stage: Scan
    displayName: Scan
    jobs:
      - job: Owasp
        steps:
          - template: owasp-dependency-check.yml@templates

The punchline: enter image description here

It looks like the jar analyzer doesn't run. This is the logging at runtime:

[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (2 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (2 seconds)
Finishing: OWASPDependencyCheck
Solution

  • I have installed the official Owasp plugin. I was using an offshoot with sonarqube integration. Besides this I've built the project on the same agent just before running the check. This ensures that the files to be scanned are available on the agent (was having difficulties with artifactPublish and artifactDeploy tasks).