Repository for the Azure DevOps extension wrapper around the OWASP Dependency Check CLI.
See the Build README.md file for details on building and deploying.
Dependency Check Azure DevOps Extension
License: Apache License 2.0
Repository for the Azure DevOps extension wrapper around the OWASP Dependency Check CLI.
See the Build README.md file for details on building and deploying.
Downloading Dependency Check installer appears to be failing on local Azure DevOps agents. Adding the -Force parameter may fix this.
##[error]System.IO.IOException: Failed to create file 'E:\MyPool\AGENT2\_work\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\5.3.2001\dependency-check\bin\dependency-check.sh' while expanding the archive file 'E:\MyPool\AGENT2\_work\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\5.3.2001\dependency-check-5.3.2-release.zip' contents as the file 'E:\MyPool\AGENT2\_work\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\5.3.2001\dependency-check\bin\dependency-check.sh' already exists. Use the -Force parameter if you want to overwrite the existing directory 'E:\MyPool\AGENT2\_work\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\5.3.2001\dependency-check\bin\dependency-check.sh' contents when expanding the archive file.
Ending Dependency Check..."
I can't generate the junit xml report in the TestResult folder in order to publish it into the Test tab. The only file generated is the html report even if I specify multiple formats
Here is my pipeline configuration:
- task: dependency-check-build-task@6
displayName: 'OWASP Dependency Check'
inputs:
projectName: 'MyProject'
scanPath: '**/*.csproj'
excludePath: 'Tests/'
format: 'HTML,JSON,JUNIT'
# reportsDirectory: '$(Common.TestResultsDirectory)/dependency-check'
- task: PublishTestResults@2
inputs:
testResultsFormat: 'JUnit'
testResultsFiles: 'dependency-check/*junit.xml'
searchFolder: '$(Common.TestResultsDirectory)'
testRunTitle: 'Dependency Check'
but in the output log I see:
Dependency Check completed with exit code 0.
Dependency Check reports:
[ 'D:\\a\\1\\TestResults\\dependency-check\\dependency-check-report.html' ]
##[debug]Attachments:
##[debug]Attachment name: dependency-check-report%2Ehtml
##[debug]Attachment path: D:\a\1\TestResults\dependency-check\dependency-check-report.html
##[debug]Attachment type: .html
Ending Dependency Check...
Async Command Start: Upload Artifact
Uploading 1 files
File upload succeed.
Upload 'D:\a\1\TestResults\dependency-check\dependency-check-report.html' to file container: '#/5768340/dependency-check'
Currently task downloads version 6.0.2 which is quite old (Released Sep 2020). Latest release is 6.1.1 and even the task runner complaints that we should upgrade the version:
[WARN] A new version of dependency-check is available. Consider updating to version 6.1.1.
My suggestion:
How do i configure the Extension to send the Reports to my Sonarqube instance that is running the dependency-check Plugin?
Is it possible to output only two file types instead of all?
Hi,
We use a web proxy to filter requests to internet.
As described in the documentation, I'have opened URL to https://nvd.nist.gov
But when I launch the tool, a request is sent to dependencycheck.sec540.com.
So I do not understand which Urls to open.
By default, the extension downloads the dep check and extracts the installer files on the fly.
Add a new install location field to the extension which allows people to specify a location on a self-hosted agent. If the field is specified, the extension will not download the extension and rely the the user to install out of band.
Convert the extension from PS ---> TypeScript to run on both Windows and Ubuntu build agents.
Need to upgrade the dependency check exec to v5.2.4.
I have multiple csproj files under a src path for our solution, but need to be specific about which csproj files need to be dependency checked. I see that the dependency-check tool supports multiple scan paths so this works fine to scan both the csproj for proj.web and proj.service:
dependency-check --project Project01 --scan /code/proj01/src/proj.web/*.csproj --scan /code/proj01/src/proj.service/*.csproj --out ./TestResults/dependency-check --format HTML --failOnCVSS 8 --log ./TestResults/dependency-check/log
However, I can't specify scanPath twice in my pipeline:
steps:
- task: dependency-check-build-task@6
displayName: "OWASP Dependency Check"
inputs:
projectName: 'Project01'
scanPath: '**/proj.web/*.csproj'
scanPath: '**/proj.service/*.csproj'
...
Azure pipeline returns:
/azure-pipelines.yml (Line: 16, Col: 11): 'scanPath' is already defined
I want to run multiple scans to optimize dependency check time, rather than creating a task for each csproj.
I really appreciate this task! Thank you. I think I found the following issue with the example:
The example image shows the value **/*csproj
:
Doesn't this mean scan the actual project file as a dependency rather than looking at all of the *.dll
s used by the program? When I changed it to check the actual *.dll
s, it found some vulnerable dependencies.
The follow error is shown when running the dependency-check task on a DotNet Core project on a Windows Azure DevOps Hosted agent:
[ERROR] Could not execute .NET AssemblyAnalyzer
I added the following additional argument and it did not help:
--dotnet C:\hostedtoolcache\windows\dotnet\dotnet.exe
If you don't select a default report format, the scan fails because the default is html
instead of HTML
.
New field for Dependency Check installer location that can override the default pull from GH releases.
I currently have an on-premise installation of Azure DevOps. The solution was originally a TFS 2012 that was upgraded to TFS 2018. Then in August 2019 I updated the installation to Azure DevOps and have not had any issues with functionality or plugins. However, when I try to load the OWASP Dependency-Check. I get an error "Permission section could not be loaded. Please see image attached. Thanks
Create an Azure DevOps extension with the following features:
I know this should be a PR... A new version of ODC was released - in addition we would prefer users to download the CLI from the github release rather than bintray due to bandwidth restrictions.
Please update:
To point to the GitHub release to avoid capacity issues at bintray:
curl -sLo ./dependency-check-$VERSION-release.zip https://github.com/jeremylong/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip"
Additionally, update:
To:
Invoke-WebRequest "https://github.com/jeremylong/DependencyCheck/releases/download/v6.0.2/dependency-check-6.0.2-release.zip" -OutFile "dependency-check-6.0.2-release.zip"
Expand-Archive -Path dependency-check-6.0.2-release.zip -DestinationPath . -Force
Hi,
Is there documentation on how the scanning works on a high level? E.g. is the code send over to a server somewhere on the internet?
Would like to better understand as the company I work for is considering using this extension. But before that happens, we need a better understanding of how it works.
From the marketplace:
arnaud.debock on 30-Apr-2021:
Hi,
There seems to be problem with the task running on Mac agents. The task will only check the OS for Linux or Windows. Therefore, it tries to launch the "_work/_tasks/dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72/6.0.2/dependency-check/bin/dependency-check.bat" file which is not usable on Mac. Can you update the task by adding a test with Agent.OS equals to Darwin?
Dear Jeremy,
I'm running into the issue jeremylong/DependencyCheck#1969 on Azure Devops:
[ERROR] An error occured trying to analyze icefaces-ace-3.1.0.jar: jquery-ui.js. To resolve this error please try increasing the Java stack size to 8mb and re-run dependency-check:
Unfortunately I have no clue how to increase stack size as there is no option to do that with the dependency-check-build-task@5:
Kind regards
Tom
I'm trying to run the latest release of your extension using a linux (ubuntu) build agent in Azure DevOps to analyze a .NET 5.0 application. This is the error I was seeing:
##[error]The process '/home/vsts/work/_tasks/dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72/6.0.2/dependency-check/bin/dependency-check.sh' failed with exit code 1
My pipeline yaml:
- task: dependency-check-build-task@6
displayName: 'OWASP Dependency Check'
inputs:
projectName: 'Project01'
scanPath: '**/*.csproj'
format: 'ALL'
failOnCVSS: '8'
enableVerbose: true
I realized the issue was that I configured an incorrect scanPath. Once I updated that to the correct location of the csproj, it worked perfectly. I closed this issue, but am hoping this post might be helpful to others if they see this error message and are not sure of one possible cause.
this installs 6.0.2, how can we get this release? https://github.com/jeremylong/DependencyCheck/releases/tag/v6.0.3
Remove the artifacts from the extension bundle. Instead, pull the installer artifacts dynamically from bintray and extract on the build agent during execution.
This will add a few seconds to process, however eliminate tons of people asking questions about how to increase the extension file limit - thanks MS :(
Invoke-WebRequest "https://dl.bintray.com/jeremy-long/owasp/dependency-check-5.3.2-release.zip" -OutFile "dependency-check-5.3.2-release.zip"
Submitted from Marina Radcke:
Running the task using a Windows Server 2019 agent leads to the error:
'java' is not recognized as an internal or external command, operable program or batch file.
I get the same error when running the dependency-check.bat file (downloaded from OWASP) in a Command-Line task. Java is installed, running java -version
in Command Prompt shows the version, and running dependency-check.bat directly on the server is working, too.
Stop fetching OWASP Dependency-Check from GitHub at each build when version parameter is specified to improve performance and reduce unnecessary network traffic.
Right now, the job takes several minutes because it executes on a clean agent with no data files. We can't include these in the installer because it takes the installer over 100MB compressed, which exceeds our cap.
Option 1: Can / should we host these files in an Azure Blob close to the source? Should make for a very quick pull from Azure Storage onto the build agent versus downloading from MITRE. Then, it would be easy to write an Azure function to auto-update the files every night to keep them fresh. Any reason these files can't be a publicly accessible blob?
Option 2: ????
I'm trying to add this as a step in one of our Azure DevOps deployments. However, it keeps failing with " 'java' is not recognized as an internal or external command":
2020-09-22T12:48:21.2708345Z ==============================================================================
2020-09-22T12:48:21.2709349Z Task : OWASP Dependency Check
2020-09-22T12:48:21.2711297Z Description : Dependency Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project's dependencies.
2020-09-22T12:48:21.2712627Z Version : 5.3.2003
2020-09-22T12:48:21.2713304Z Author : Dependency Check
2020-09-22T12:48:21.2714342Z Help : [More Information](https://jeremylong.github.io/DependencyCheck/index.html)
2020-09-22T12:48:21.2715497Z ==============================================================================
2020-09-22T12:48:23.4445503Z Starting Dependency Check...
2020-09-22T12:48:23.6401335Z Downloading Dependency Check installer...
2020-09-22T12:48:33.2340098Z Invoking Dependency Check...
2020-09-22T12:48:33.2400801Z Path: C:\azagent\A1\_work\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\5.3.2003\dependency-check\bin\dependency-check.bat
2020-09-22T12:48:33.2418414Z Arguments: --project "Web" --scan "C:\azagent\A1\_work\r1\a\**\*.csproj" --out "\dependency-check" --exclude "C:\azagent\A1\_work\r1\a" --format HTML --failOnCVSS 8 --suppression "C:\azagent\A1\_work\r1\a"
2020-09-22T12:48:33.3286473Z 'java' is not recognized as an internal or external command,
2020-09-22T12:48:33.3287988Z operable program or batch file.
2020-09-22T12:48:34.2890567Z Dependency Check completed with exit code 9009.
2020-09-22T12:48:34.2907107Z Dependency check reports:
2020-09-22T12:48:34.4252429Z ##[error]Dependency Check exited with an error code.
2020-09-22T12:48:34.4493346Z Ending Dependency Check...
2020-09-22T12:48:34.4957837Z ##[section]Finishing: Dependency Check
I found this issue which is the same scenario (we're running this on our own build server running Windows Server 2019). I downloaded the Java runtime (I've tried this with both the 64-bit version and, when that didn't work, I uninstalled it and installed the 32-bit version). In both cases I went into System Properties > Advanced > Environment Variables and configured the System variables.
I created these two settings:
JAVA_HOME C:\PROGRA~2\Java\jre1.8.0_261
JAVACMD C:\PROGRA~2\Java\jre1.8.0_261\bin
I also tried adding the jre1.8.0_261\bin folder to the path.
But when I redeploy it still fails with the same error. I'm not quite sure what else to try.
Set up a new table on the summary screen that shows the high level scan data. Set up a details tab that shows the full report.
We are impacted by this issue and because the NVD CVE database is downloaded each time our Azure pipeline runs, the temporary fix suggested here jeremylong/DependencyCheck#3306, adding:
additionalArguments: '--noupdate'
will not work.
I know this issue is being worked on, just wanted this community to know about it. Once it's resolved, I'll be sure to close this issue.
After upgrading our applications to dotnet 5 we get errors when running dependency-check-build-task against our application.
It looks like this issue is already resolved upstream: jeremylong/DependencyCheck#3306
Is it possible to upgrade this dependency to a version witch includes these patches?
- task: dependency-check-build-task@5
inputs:
projectName: 'Base'
scanPath: 'src/**/*.csproj'
format: 'HTML, JSON, JUNIT'
failOnCVSS: '8'
additionalArguments: '--suppression $(System.DefaultWorkingDirectory)/src/Api/suppressions.xml'
2021-05-09T12:07:27.7483760Z ##[section]Starting: dependencycheckbuildtask
2021-05-09T12:07:27.7506414Z ==============================================================================
2021-05-09T12:07:27.7506732Z Task : OWASP Dependency Check
2021-05-09T12:07:27.7507181Z Description : Dependency Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project's dependencies.
2021-05-09T12:07:27.7507601Z Version : 5.6.3
2021-05-09T12:07:27.7507796Z Author : Dependency Check
2021-05-09T12:07:27.7508105Z Help : [More Information](https://jeremylong.github.io/DependencyCheck/index.html)
2021-05-09T12:07:27.7508472Z ==============================================================================
2021-05-09T12:07:30.2792488Z Starting Dependency Check...
2021-05-09T12:07:30.3360791Z Setting report directory to C:\azp\agent\_work\129\TestResults\dependency-check
2021-05-09T12:07:30.3377520Z Creating report directory at C:\azp\agent\_work\129\TestResults\dependency-check
2021-05-09T12:07:30.3952944Z
2021-05-09T12:07:30.3990258Z
2021-05-09T12:07:30.4072712Z Directory: C:\azp\agent\_work\129\TestResults
2021-05-09T12:07:30.4073554Z
2021-05-09T12:07:30.4073939Z
2021-05-09T12:07:30.4150957Z Mode LastWriteTime Length Name
2021-05-09T12:07:30.4159664Z ---- ------------- ------ ----
2021-05-09T12:07:30.4184100Z d----- 5/9/2021 2:07 PM dependency-check
2021-05-09T12:07:30.4422467Z Downloading Dependency Check v6.0.2 installer from GitHub...
2021-05-09T12:07:35.1012399Z Dependency Check installer set to C:\azp\agent\_work\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\5.6.3\dependency-check\bin\dependency-check.bat
2021-05-09T12:07:35.1022797Z Invoking Dependency Check...
2021-05-09T12:07:35.1029762Z Path: C:\azp\agent\_work\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\5.6.3\dependency-check\bin\dependency-check.bat
2021-05-09T12:07:35.1036140Z Arguments: --project "Base" --scan "C:\azp\agent\_work\129\s\src\**\*.csproj" --out "C:\azp\agent\_work\129\TestResults\dependency-check" --format HTML --format JSON --format JUNIT --failOnCVSS 8 --suppression C:\azp\agent\_work\129\s/src/Api/suppressions.xml
2021-05-09T12:07:35.6397777Z Dependency-Check Core version 6.0.2
2021-05-09T12:07:45.5061357Z [INFO] Checking for updates
2021-05-09T12:07:55.1135280Z [INFO] NVD CVE requires several updates; this could take a couple of minutes.
2021-05-09T12:07:55.1178119Z [INFO] Download Started for NVD CVE - 2002
2021-05-09T12:07:55.1178685Z [INFO] Download Started for NVD CVE - 2003
2021-05-09T12:07:56.2136674Z [INFO] Download Complete for NVD CVE - 2003 (1094 ms)
2021-05-09T12:07:56.2138065Z [INFO] Download Started for NVD CVE - 2004
2021-05-09T12:07:56.2142760Z [INFO] Processing Started for NVD CVE - 2003
2021-05-09T12:07:56.2680181Z WARNING: An illegal reflective access operation has occurred
2021-05-09T12:07:56.2681364Z WARNING: Illegal reflective access by com.fasterxml.jackson.module.afterburner.util.MyClassLoader (file:/C:/azp/agent/_work/_tasks/dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72/5.6.3/dependency-check/lib/jackson-module-afterburner-2.11.2.jar) to method java.lang.ClassLoader.findLoadedClass(java.lang.String)
2021-05-09T12:07:56.2682533Z WARNING: Please consider reporting this to the maintainers of com.fasterxml.jackson.module.afterburner.util.MyClassLoader
2021-05-09T12:07:56.2683253Z WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
2021-05-09T12:07:56.2683791Z WARNING: All illegal access operations will be denied in a future release
2021-05-09T12:07:56.8450820Z [INFO] Download Complete for NVD CVE - 2002 (1734 ms)
2021-05-09T12:07:56.8585462Z [INFO] Download Started for NVD CVE - 2005
2021-05-09T12:07:56.8897668Z [INFO] Processing Started for NVD CVE - 2002
2021-05-09T12:07:57.4162151Z [INFO] Download Complete for NVD CVE - 2004 (1197 ms)
2021-05-09T12:07:57.4983966Z [INFO] Download Started for NVD CVE - 2006
2021-05-09T12:07:58.1356793Z [INFO] Download Complete for NVD CVE - 2005 (1281 ms)
2021-05-09T12:07:58.1580793Z [INFO] Download Started for NVD CVE - 2007
2021-05-09T12:07:59.1495820Z [INFO] Download Complete for NVD CVE - 2006 (1604 ms)
2021-05-09T12:07:59.2032454Z [INFO] Download Started for NVD CVE - 2008
2021-05-09T12:08:00.9835663Z [INFO] Download Complete for NVD CVE - 2008 (1790 ms)
2021-05-09T12:08:00.9836492Z [INFO] Download Started for NVD CVE - 2009
2021-05-09T12:08:01.1132409Z [INFO] Download Complete for NVD CVE - 2007 (2961 ms)
2021-05-09T12:08:01.1138952Z [INFO] Download Started for NVD CVE - 2010
2021-05-09T12:08:01.7689044Z [INFO] Processing Complete for NVD CVE - 2003 (5440 ms)
2021-05-09T12:08:01.7817257Z [INFO] Processing Started for NVD CVE - 2004
2021-05-09T12:08:02.6350837Z [INFO] Download Complete for NVD CVE - 2009 (1641 ms)
2021-05-09T12:08:02.6527667Z [INFO] Download Started for NVD CVE - 2011
2021-05-09T12:08:02.9303732Z [INFO] Download Complete for NVD CVE - 2010 (1828 ms)
2021-05-09T12:08:02.9342305Z [INFO] Download Started for NVD CVE - 2012
2021-05-09T12:08:04.8819033Z [INFO] Download Complete for NVD CVE - 2012 (1932 ms)
2021-05-09T12:08:04.8820029Z [INFO] Download Started for NVD CVE - 2013
2021-05-09T12:08:04.8820469Z [INFO] Download Complete for NVD CVE - 2011 (2225 ms)
2021-05-09T12:08:04.9092598Z [INFO] Download Started for NVD CVE - 2014
2021-05-09T12:08:06.6261142Z [INFO] Download Complete for NVD CVE - 2013 (1745 ms)
2021-05-09T12:08:06.6267376Z [INFO] Download Started for NVD CVE - 2015
2021-05-09T12:08:07.2699419Z [INFO] Processing Complete for NVD CVE - 2004 (5591 ms)
2021-05-09T12:08:07.2700394Z [INFO] Processing Started for NVD CVE - 2005
2021-05-09T12:08:07.2904976Z [INFO] Download Complete for NVD CVE - 2014 (2379 ms)
2021-05-09T12:08:07.2906195Z [INFO] Download Started for NVD CVE - 2016
2021-05-09T12:08:08.0501391Z [INFO] Processing Complete for NVD CVE - 2002 (11047 ms)
2021-05-09T12:08:08.0999646Z [INFO] Processing Started for NVD CVE - 2006
2021-05-09T12:08:08.1000386Z [INFO] Download Complete for NVD CVE - 2015 (1475 ms)
2021-05-09T12:08:08.1760950Z [INFO] Download Started for NVD CVE - 2017
2021-05-09T12:08:08.7198105Z [INFO] Download Complete for NVD CVE - 2016 (1439 ms)
2021-05-09T12:08:08.7215216Z [INFO] Download Started for NVD CVE - 2018
2021-05-09T12:08:10.7160917Z [INFO] Download Complete for NVD CVE - 2017 (2542 ms)
2021-05-09T12:08:10.7173425Z [INFO] Download Started for NVD CVE - 2019
2021-05-09T12:08:11.2426727Z [INFO] Download Complete for NVD CVE - 2018 (2521 ms)
2021-05-09T12:08:11.2702719Z [INFO] Download Started for NVD CVE - 2020
2021-05-09T12:08:12.6490268Z [INFO] Download Complete for NVD CVE - 2019 (1932 ms)
2021-05-09T12:08:12.6491654Z [INFO] Download Started for NVD CVE - 2021
2021-05-09T12:08:14.0745689Z [INFO] Download Complete for NVD CVE - 2021 (1426 ms)
2021-05-09T12:08:15.4127499Z [INFO] Processing Complete for NVD CVE - 2005 (8166 ms)
2021-05-09T12:08:15.4128228Z [INFO] Processing Started for NVD CVE - 2008
2021-05-09T12:08:17.9381007Z [INFO] Download Complete for NVD CVE - 2020 (6679 ms)
2021-05-09T12:08:21.1492548Z [INFO] Processing Complete for NVD CVE - 2006 (13231 ms)
2021-05-09T12:08:21.1493349Z [INFO] Processing Started for NVD CVE - 2007
2021-05-09T12:08:29.3665901Z [INFO] Processing Complete for NVD CVE - 2008 (13943 ms)
2021-05-09T12:08:29.3666709Z [INFO] Processing Started for NVD CVE - 2009
2021-05-09T12:08:34.4975420Z [INFO] Processing Complete for NVD CVE - 2007 (13350 ms)
2021-05-09T12:08:34.4976183Z [INFO] Processing Started for NVD CVE - 2010
2021-05-09T12:08:44.2600146Z [INFO] Processing Complete for NVD CVE - 2009 (14890 ms)
2021-05-09T12:08:44.2743349Z [INFO] Processing Started for NVD CVE - 2012
2021-05-09T12:08:52.5767225Z [INFO] Processing Complete for NVD CVE - 2010 (18070 ms)
2021-05-09T12:08:52.5808645Z [INFO] Processing Started for NVD CVE - 2011
2021-05-09T12:09:08.2815293Z [INFO] Processing Complete for NVD CVE - 2012 (23997 ms)
2021-05-09T12:09:08.2822036Z [INFO] Processing Started for NVD CVE - 2013
2021-05-09T12:09:12.8072992Z [INFO] Processing Complete for NVD CVE - 2011 (20232 ms)
2021-05-09T12:09:12.8074134Z [INFO] Processing Started for NVD CVE - 2014
2021-05-09T12:09:27.6574716Z [INFO] Processing Complete for NVD CVE - 2013 (19401 ms)
2021-05-09T12:09:27.6705731Z [INFO] Processing Started for NVD CVE - 2015
2021-05-09T12:09:32.9432801Z [INFO] Processing Complete for NVD CVE - 2014 (20148 ms)
2021-05-09T12:09:32.9433497Z [INFO] Processing Started for NVD CVE - 2016
2021-05-09T12:09:37.1818183Z [INFO] Processing Started for NVD CVE - 2017
2021-05-09T12:09:40.9740333Z [INFO] Processing Complete for NVD CVE - 2015 (13311 ms)
2021-05-09T12:09:40.9740804Z [INFO] Processing Started for NVD CVE - 2018
2021-05-09T12:09:54.7723632Z [INFO] Processing Complete for NVD CVE - 2017 (17593 ms)
2021-05-09T12:09:54.7724412Z [INFO] Processing Started for NVD CVE - 2019
2021-05-09T12:09:59.2873019Z [INFO] Processing Complete for NVD CVE - 2018 (18331 ms)
2021-05-09T12:09:59.3031893Z [INFO] Processing Started for NVD CVE - 2021
2021-05-09T12:09:59.7428943Z [INFO] Processing Started for NVD CVE - 2020
2021-05-09T12:10:10.2897280Z [INFO] Processing Complete for NVD CVE - 2019 (15519 ms)
2021-05-09T12:10:10.2915919Z [ERROR] java.util.concurrent.ExecutionException: java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because the return value of "org.owasp.dependencycheck.data.nvd.json.DefCpeMatch.getCpe23Uri()" is null
2021-05-09T12:10:10.2917069Z org.owasp.dependencycheck.data.update.exception.UpdateException: java.util.concurrent.ExecutionException: java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because the return value of "org.owasp.dependencycheck.data.nvd.json.DefCpeMatch.getCpe23Uri()" is null
2021-05-09T12:10:10.2919514Z at org.owasp.dependencycheck.data.update.NvdCveUpdater.performUpdate(NvdCveUpdater.java:298)
2021-05-09T12:10:10.2922418Z at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:125)
2021-05-09T12:10:10.2922983Z at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:855)
2021-05-09T12:10:10.2923506Z at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:662)
2021-05-09T12:10:10.2924039Z at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:592)
2021-05-09T12:10:10.2924510Z at org.owasp.dependencycheck.App.runScan(App.java:254)
2021-05-09T12:10:10.2924954Z at org.owasp.dependencycheck.App.run(App.java:186)
2021-05-09T12:10:10.2927707Z at org.owasp.dependencycheck.App.main(App.java:81)
2021-05-09T12:10:10.2928444Z Caused by: java.util.concurrent.ExecutionException: java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because the return value of "org.owasp.dependencycheck.data.nvd.json.DefCpeMatch.getCpe23Uri()" is null
2021-05-09T12:10:10.2960628Z at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
2021-05-09T12:10:10.2961229Z at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
2021-05-09T12:10:10.2961789Z at org.owasp.dependencycheck.data.update.NvdCveUpdater.performUpdate(NvdCveUpdater.java:288)
2021-05-09T12:10:10.2966594Z ... 7 common frames omitted
2021-05-09T12:10:10.2967277Z Caused by: java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because the return value of "org.owasp.dependencycheck.data.nvd.json.DefCpeMatch.getCpe23Uri()" is null
2021-05-09T12:10:10.2968060Z at org.owasp.dependencycheck.data.update.nvd.NvdCveParser.lambda$testCveCpeStartWithFilter$0(NvdCveParser.java:149)
2021-05-09T12:10:10.2968660Z at java.base/java.util.stream.MatchOps$1MatchSink.accept(MatchOps.java:90)
2021-05-09T12:10:10.2969191Z at java.base/java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1602)
2021-05-09T12:10:10.2969847Z at java.base/java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:127)
2021-05-09T12:10:10.2970512Z at java.base/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:502)
2021-05-09T12:10:10.2971009Z at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:488)
2021-05-09T12:10:10.2971481Z at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
2021-05-09T12:10:10.2971952Z at java.base/java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:230)
2021-05-09T12:10:10.2972650Z at java.base/java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:196)
2021-05-09T12:10:10.2973147Z at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
2021-05-09T12:10:10.2973608Z at java.base/java.util.stream.ReferencePipeline.anyMatch(ReferencePipeline.java:528)
2021-05-09T12:10:10.2974111Z at org.owasp.dependencycheck.data.update.nvd.NvdCveParser.testCveCpeStartWithFilter(NvdCveParser.java:149)
2021-05-09T12:10:10.2974631Z at org.owasp.dependencycheck.data.update.nvd.NvdCveParser.parse(NvdCveParser.java:100)
2021-05-09T12:10:10.2975108Z at org.owasp.dependencycheck.data.update.nvd.ProcessTask.importJSON(ProcessTask.java:139)
2021-05-09T12:10:10.2975593Z at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles(ProcessTask.java:152)
2021-05-09T12:10:10.2976073Z at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:113)
2021-05-09T12:10:10.2976537Z at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:40)
2021-05-09T12:10:10.2976963Z at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
2021-05-09T12:10:10.2977414Z at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
2021-05-09T12:10:10.2977910Z at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
2021-05-09T12:10:10.2978413Z at java.base/java.lang.Thread.run(Thread.java:832)
2021-05-09T12:10:11.0629791Z [ERROR] There was an error attempting to close the CveDB, see the log for more details.
2021-05-09T12:10:11.0630350Z [WARN] Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
2021-05-09T12:10:11.0630774Z [ERROR] Unable to continue dependency-check analysis.
2021-05-09T12:10:11.1893613Z [ERROR] One or more fatal errors occurred
2021-05-09T12:10:11.1894631Z [ERROR] java.util.concurrent.ExecutionException: java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because the return value of "org.owasp.dependencycheck.data.nvd.json.DefCpeMatch.getCpe23Uri()" is null
2021-05-09T12:10:11.1895297Z [ERROR] No documents exist
2021-05-09T12:10:11.9392672Z Dependency Check completed with exit code -13.
2021-05-09T12:10:11.9399520Z Dependency check reports:
2021-05-09T12:10:11.9802879Z ##[error]Dependency Check exited with an error code.
2021-05-09T12:10:11.9927767Z Ending Dependency Check...
2021-05-09T12:10:11.9928130Z
2021-05-09T12:10:11.9928356Z
2021-05-09T12:10:12.0357305Z ##[section]Finishing: dependencycheckbuildtask
Hi, I think the --exclude option is not working.
I have the following directory structure after git checkout :
s/
-- changelogs
-- tests
-- src
-- helper
-- some other files and directories
This is the YAML Task
`
Although I am trying to exclude tests I am still getting these files Paths
_/home/vsts/work/1/s/tests/E2E.Cypress/package-lock.json?lodash_
and
[WARN] Analyzing `/home/vsts/work/1/s/tests/E2E.Cypress/package-lock.json` - however, the node_modules directory does not exist. Please run `npm install` prior to running dependency-check
[WARN] Analyzing `/home/vsts/work/1/s/changelogs/validation/package-lock.json` - however, the node_modules directory does not exist. Please run `npm install` prior to running dependency-check
Command used in job is:
`
Path: /home/vsts/work/_tasks/dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72/6.0.4/dependency-check/bin/dependency-check.sh
Arguments: --project "Backend" --scan "/home/vsts/work/1/s/" --out "/home/vsts/work/1/TestResults/dependency-check" --exclude "/tests/**" --format HTML --failOnCVSS 7 --suppression "/home/vsts/work/1/s/suppress.xml"
`
Using the same commands on my workstation (Windows System) :
.\dependency-check.bat -s "C:\Backend" --exclude "/tests/**"
works without problems.
I can also use the --exclude command multiple times, for example to remove also changelogs folder from the path
--exclude "/tests/" --exclude "/changelogs/"
Cannot use the excludePath multiple Times in YAML due to key problems...
EDIT: I can use the Extra Arguments Field and it works with multiple exclude arguments or only one!
Upon installing the extension and running it, I get the following error:
Downloading Dependency Check vulnerability data... ##[error]System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel. at Microsoft.PowerShell.Commands.WebRequestPSCmdlet.GetResponse(WebRequest request) at Microsoft.PowerShell.Commands.WebRequestPSCmdlet.ProcessRecord() Ending Dependency Check...
Hi, I was pretty excited to learn about your extension. However, when I try to install it on our on-premises Azure DevOps 2019.Update 1 (17.153.29207.5) server, I get this error message; "We've encountered an error while downloading the extension. Please try again later." on the side panel I see: "Permission section could not be loaded", which I suspect is the root issue. (screenshot attached)
I've confirmed that I can install other extensions and I can pull down the VSIX directly (without going through the Azure DevOps extension install pages). Unfortunately, with 2019, I no longer have the option to upload an extension, so I'm not able to get past this. I'd appreciate any suggestions.
@jeremylong This error seems to be popping up today downloading the latest installer. I noticed this in brew
as well as the extension. Any ideas?
https://dl.bintray.com/jeremy-long/owasp/dependency-check-5.3.2-release.zip
We have an Azure DevOps setup where there are two self-hosted VMs running 16 agents. The default behavior is to store the databases in C:\agent_work[number]\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\[version]\dependency-check\data. This means we have 16 copies of the database across those 2 VMs. When the default 4 hour window for NVD is crossed, 16 builds have to pay a penalty to check for updates (takes like 8 minutes!), and there's other database maintenance tasks that feel like they are happening too much.
Aside from tweaking arguments like cveValidForHours, is there anything we can do either with dependency-check or Azure Pipelines to limit builds throughout the day from experiencing large wait times. For example, can we move to one database per VM, but then is that safe from a concurrency perspective with 8 agents running per VM?
I can no longer host the cached dependency check files to support the ecosystem. Traffic has become large enough, it is time for folks to host their own data cache files.
Adding 2 new fields to the extension:
Data Mirror: JSON Repository
Data Mirror: ODC Database
These files can be pulled from the URL provided and will be loaded into the extension's data directory.
This is likely a feature request.
We use this extension on Azure DevOps Server 2019 Update 1 on-premise behind a HTTP proxy.
Our Agent was configured using this documentation: Run a self-hosted agent behing a web proxy
This extension does not pickup the configured proxy settings. Our current workaround is to use "Additional Arguments" to configure the settings as described here.
It seems like extensions can use the configured proxy settings by calling Get-VstsWebProxy
.
Get proxy configuration by using AZURE-DEVOPS-TASK-LIB method
I can try and create a PR for this, if you prefer.
I have found that whatever will be configured in task definition for OWASP DC in _outputDirectory_
parameter it is not taken into consideration when test results are created. The results are always created in D:\a\1\TestResults\dependency-check
.
After that I am unable to reach this directory when trying to Publish the results with JUnit publisher. Configuration of Publish task is like this:searchFolder: '$(System.DefaultWorkingDirectory)\TestResults\dependency-check\'
but it is transformed to path like this ##[debug]adjustedPattern: 'D:\a\1\s\TestResults\dependency-check\*junit.xml'
Is the outputdirectory
paramater somehow ingnored?
Current task is limited to one --exclude
parameter. Can't it use a multi-line list or do a split on a delimiter?
I can only think of one workaround: deleting files / directory that need to be excluded.
Hi
We use a webproxy to connect to the internet.
I added to the arguments:
--proxyserver "myproxy" --proxyport "myport"
but when I use the extension it writes in the log:
Downloading Dependency Check latest installer from GitHub
and doesn't proceed.
Looks to me that proxy configuration is not used.
Describe the bug
I cannot install the OWASP Dependency Check Azure DevOps Server Extension.
Version of dependency-check used
Azure DevOps Extension 5.2.1.2
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The extension installs an our local Azure DevOps Server.
or
The extension does not list "Azure DevOps Server 2019" as compatible installation target. (less prefered behavior)
Additional context
Hi,
When you specify additionalArguments such as cveUrls in the task (for workaround purpose here) then the generated command fails :
C:\Windows\system32\cmd.exe /D /S /C "D:\a\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\6.0.2\dependency-check\bin\dependency-check.bat --project "MyProjetct" --scan D:\a\1\s --out D:\a\1\TestResults\dependency-check --format JUNIT --cveUrlModified "https://freedumbytes.gitlab.io/setup/nist-nvd-mirror/nvdcve-1.1-modified.json.gz --cveUrlBase" https://freedumbytes.gitlab.io/setup/nist-nvd-mirror/nvdcve-1.1-%d.json.gz"
Here was the task configuration :
additionalArguments: '--cveUrlModified https://freedumbytes.gitlab.io/setup/nist-nvd-mirror/nvdcve-1.1-modified.json.gz --cveUrlBase https://freedumbytes.gitlab.io/setup/nist-nvd-mirror/nvdcve-1.1-%d.json.gz
Thanks for help
New option field for specifying the installer version for the automatic download on cloud-hosted agents.
I set up my C++ project with cmake.
How can I set the Scan path? When I set it as the build folder, the report contains nothing.
I use OWASP version 6.
Thank you
We started having an issue last week when a team bumped their version of OWASP Dependency Check on our Azure DevOps pipeline. We were getting an error with the CPE analyzer because it failed initializer. Investigating the issue, we've discovered that when upgrading the Dependency Check version to be downloaded, all the pre-existing library and new library will be kept in the same folder and it cause an issue because some libraries were confused on with version to use.
I suggest keeping each version in a separated folder or cleaning the path where the archive will get decompressed.
Copied from VSMarketplace:
Jeffrey Rempel: How do you install this on a TFS 2018 on-premise server? I try to upload the extension however I get an error stating "The files being added total 35.7 MB which exceeds the maximum total size allowed to be uploaded (25 MB)."
I tried to specify the output path of the reports using the --out argument of Dependency Check. I've added it to the "Additional Arguments" section of the task, but the reports were still uploaded to the default location (under test results). Any plan to support custom output location for the reports?
Thanks,
Hi,
We only recently added this to our build pipeline and all was working find on version 5.3.0, but doesn't appear to work any more with 5.3.2.
Here's the step from our azure-pipelines.yaml:
- task: OWASPDependencyCheck@0
displayName: OWASP Dependency Check
inputs:
outputDirectory: '$(Agent.TempDirectory)/dependency-scan-results'
scanDirectory: '$(Build.SourcesDirectory)'
outputFormat: 'ALL'
useSonarQubeIntegration: true
And here's the log file:
owasp-dependency-check-5-3-2-error.log
Please let me know if I can try something or provide any further information.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.