Search code examples
.netgitlabdependenciesowasp

GitLab CI: Dependency Check report 0 vulnerabilities

I am using dependency check in GitLab CI but when it runs, the report comes back clean.

Scan Information (show all):

    dependency-check version: 7.4.0
    Report Generated On: Wed, 7 Dec 2022 14:50:43 GMT
    Dependencies Scanned: 20 (20 unique)
    Vulnerable Dependencies: 0
    Vulnerabilities Found: 0
    Vulnerabilities Suppressed: 0
    ...

The job code is:

owasp_dependency_check:
  stage: Dependency-check
  image:
    name: registry.gitlab.com/gitlab-ci-utils/docker-dependency-check:latest
    entrypoint: [""]
  script:
    - /usr/share/dependency-check/bin/dependency-check.sh --scan "./" --format ALL --project "$CI_PROJECT_DIR" --failOnCVSS 0
    - if [ $(grep -c "vulnerabilities" dependency-check-report.json) -gt 0 ]; then exit 2; fi
  after_script:
    - echo 'dependency_check run' > metrics.txt
  allow_failure: true

  artifacts:
    when: always 
    paths:
      - "./dependency-check-report.html"
      - "./dependency-check-report.json"
    reports:
      metrics: metrics.txt

I am using GitLab CI to analyse the dependency in Dotnet project. No errors during the job execution.

I change the image and use owasp/dependency-check:latest but nothing.

Any help please

Solution

  • I find the answer: TO use OWASP Dependency-check to scan Donet code, I need to build and publish fist. then the scan work finally.

    Build job:
  stage: build
  image:
    name:  mcr.microsoft.com/dotnet/sdk:6.0
    entrypoint: [""]
  variables:
    MOUNT_POINT: /builds/$CI_PROJECT_PATH/app/build
  services:
    - docker:dind
  script:
    - dotnet build "./HellodAPI/HelloAPI.csproj" --configuration Release
    - dotnet publish "./HellodAPI/HellodAPI.csproj" -c Release -o app
    - tar -czvf publish.tar.gz app/*
  artifacts:
    when: on_success
    paths:
      - ./publish.tar.gz

Analyse_Dependences:
  stage: Analyse Dependences
  image:
    name: owasp/dependency-check:latest
    entrypoint: [""]
  
  script:
    - tar -xvzf publish.tar.gz -C /tmp/
    - /usr/share/dependency-check/bin/dependency-check.sh --scan ${CI_PROJECT_DIR} --format ALL --project ${CI_PROJECT_NAME} --failOnCVSS 0
    - if [ $(grep -c "vulnerabilities" dependency-check-report.json) -gt 0 ]; then exit 2; fi
  artifacts:
    when: always 
    paths:
      - "./dependency-check-report.html"
      - "./dependency-check-report.json"
    expire_in: 1 weeks
  allow_failure: true

    and i get this vulnerability report:

    Project: dotnet_helloapi
   Scan Information (show all):
   dependency-check version: 7.4.1
   Report Generated On: Wed, 14 Dec 2022 21:37:14 GMT
   Dependencies Scanned: 47 (36 unique)
   Vulnerable Dependencies: 1
   Vulnerabilities Found: 1
   Vulnerabilities Suppressed: 0