azure-devopsdependenciesazure-pipelinesowaspazure-devops-extensions
azure-devops owasp plugin doesn't find dependencies
When I run mvn verify locally, against a java project. Owasp returns quite the list of found vulnerabilities. However when I do the same test in azure devops pipeline, with the owasp plugin, it returns 0 vulnerabilities. Both tests scan the top level of the directory.
The following Owasp plugin is enable in azure devops
The setup:
Azure Pipeline template
# owasp-dependency-check.yml@templates
parameters:
- name: scanDir
default: $(System.DefaultWorkingDirectory)
type: string
steps:
- task: OWASPDependencyCheck@0
inputs:
outputDirectory: '$(Agent.TempDirectory)/dependency-scan-results'
scanDirectory: ${{ parameters.scanDir }}
outputFormat: 'HTML'
useSonarQubeIntegration: True
- task: PublishPipelineArtifact@1
inputs:
targetPath: '$(Agent.TempDirectory)'
artifact: 'dependency-scan-results'
publishLocation: 'pipeline'
Azure Pipeline
# azure-pipeline.yml
resources:
repositories:
- repository: templates
type: git
name: sandbox-reusable-tasks
stages:
- stage: Scan
displayName: Scan
jobs:
- job: Owasp
steps:
- template: owasp-dependency-check.yml@templates
The punchline:
It looks like the jar analyzer doesn't run. This is the logging at runtime:
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (2 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (2 seconds)
Finishing: OWASPDependencyCheck
Solution
I have installed the official Owasp plugin. I was using an offshoot with sonarqube integration. Besides this I've built the project on the same agent just before running the check. This ensures that the files to be scanned are available on the agent (was having difficulties with artifactPublish and artifactDeploy tasks).
- The term 'script:' is not recognized as the name of a cmdlet, function, script file, or operable program
- Unable to complete a partial restore of our Azure DevOps database
- Azure Devops Jekyll site build fails, worked previously
- Why I am receiving the error: Error: Template file pattern matches a directory instead of a file: /home/vsts/work/1/s in my yaml file pipeline file?
- Conditional dependent job in Azure Devops YAML pipelines
- Azure DevOps REST API: Match Manual Test Case steps to Test Run results?
- Is there a way to get more than 1000 Packages and versions from Azure DEVOPs Feed RESTAPI for GET Packages?
- Pipeline Shows as Failed When Successful
- Yaml manual approval step in jobs.template
- Environment variables as parameter of type object in Azure DevOps pipelines
- Skip Azure Pipeline jobs (or the whole pipeline) if change is from a merge from a specific branch
- Visual Studio 2022 can't connect to a project due to bad filters
- Azure Data Factory CI npm validate step suddenly crashing
- Error using Azure DevOps REST API and classificationnodes
- Remove TFS Connection From Visual Studio 2019
- Restricting branch creation based on Azure DevOps group permissions
- ADO - Granular Permission for Users on Team
- Dev env is skipping
- Must delete massive inadvertent checkin from remote git repo
- Job Conditions in Azure Pipelines
- Access Denied using Azure App Configuration Task in DevOps Pipeline
- Passing output variable to a template in the same job in Azure devops
- Secrets inject securely Dockerfile during build .NET
- Azure Pipeline: how to delete a variable inside Azure build pipeline
- How do I specify playwright chromium version in azure pipeline
- Azure Devops - YAML - not reading .net version from props file
- Azure yaml trigger pipeline every 14 days on a Saturday
- How can I give a containerRegistry to a DevcontainersCi task in an Azure DevOps YAML Pipeline?
- How to assign organization-level permissions to create repositories across all projects in organization in Azure DevOps?
- Updating Node js on internal windows ADO build agent