Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependency Report shows no vulnerablities #6594

Open
alfstglo-fadv opened this issue Apr 16, 2024 · 4 comments
Open

Dependency Report shows no vulnerablities #6594

alfstglo-fadv opened this issue Apr 16, 2024 · 4 comments

Comments

@alfstglo-fadv
Copy link

alfstglo-fadv commented Apr 16, 2024

My OWASP dependency reports stopped listing vulernabilies, when I know there are many. I recently had to do a --purge which might be when they broke. What could be wrong?

Yml

  - task: dependency-check-build-task@6
    inputs:
      dependencyCheckVersion: '8.0.0'
      projectName: 'Mailer'
      scanPath: '$(system.defaultworkingdirectory)/services/mailer'
      format: 'ALL'
      reportsDirectory: '$(Agent.TempDirectory)/dependency-scan-results/

Build Info:

Associated artifact 59630 with build 88751
Async Command End: Upload Artifact
Async Command Start: Upload Artifact
Uploading 1 files
Max dedup parallelism: 192
Building file tree
Uploaded 0 out of 132,867 bytes.
Uploaded 132,867 out of 132,867 bytes.
Associating files
Total files: 1 ---- Associated files: 0 (0%)
File upload succeed.
Upload '/home/azdevops/myagent-04/_work/_temp/dependency-scan-results/Mailer/dependency-check-report.html' to file container: '#/25865850/dependency-check'
Associated artifact 59630 with build 88751
Async Command End: Upload Artifact
Async Command Start: Upload Artifact
Uploading 1 files
Max dedup parallelism: 192
Building file tree
Uploaded 0 out of 2,436 bytes.
Uploaded 2,436 out of 2,436 bytes.
Associating files
Total files: 1 ---- Associated files: 0 (0%)
File upload succeed.
Upload '/home/azdevops/myagent-04/_work/_temp/dependency-scan-results/Mailer/dependency-check-report.json' to file container: '#/25865850/dependency-check'
Associated artifact 59630 with build 88751
Async Command End: Upload Artifact
Async Command Start: Upload Artifact
Uploading 1 files
Max dedup parallelism: 192
Building file tree
Uploaded 0 out of 2,242 bytes.
Uploaded 2,242 out of 2,242 bytes.
Associating files
Total files: 1 ---- Associated files: 0 (0%)
File upload succeed.
Upload '/home/azdevops/myagent-04/_work/_temp/dependency-scan-results/Mailer/dependency-check-report.sarif' to file container: '#/25865850/dependency-check'
Associated artifact 59630 with build 88751
Async Command End: Upload Artifact
Async Command Start: Upload Artifact
Uploading 1 files
Max dedup parallelism: 192
Building file tree
Uploaded 0 out of 2,263 bytes.
Uploaded 2,263 out of 2,263 bytes.
Associating files
Total files: 1 ---- Associated files: 0 (0%)
File upload succeed.
Upload '/home/azdevops/myagent-04/_work/_temp/dependency-scan-results/Mailer/dependency-check-report.xml' to file container: '#/25865850/dependency-check'
Associated artifact 59630 with build 88751
Async Command End: Upload Artifact
Finishing: dependencycheckbuildtask

Report:

Project: Mailer
Scan Information ([show all](https://codequality.com/project/extension/dependencycheck/report_page?
id=mailer&branch=master
dependency-check version: 8.0.0
Report Generated On: Tue, 16 Apr 2024 13:39:30 -0400
Dependencies Scanned: 1 (1 unique)
Vulnerable Dependencies: 0
Vulnerabilities Found: 0
Vulnerabilities Suppressed: 0
@alfstglo-fadv
Copy link
Author

I will add that i have multiple projects using the same build agent folder. Each project use it's own setting report directory. Each build is using the same folder for downloading dependecy-check.

E.g. The folder/command is the same for each project's build
/home/azdevops/myagent-04/_work/_tasks/dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72/6.2.3/dependency-check/bin/dependency-check.sh

Is something cached in the dependency-check folder that is causing the dependecy report to break?
Do I have to use a different build agent for each project ?

@aikebah
Copy link
Collaborator

aikebah commented Apr 16, 2024

You provide 0 output of dependencycheck. So you need to make your task capture the SysOut/SysErr of the shell command (dependencycheck.sh invocation) if you want this project to give you any advice.

@alfstglo-fadv
Copy link
Author

In first comment there is section 'Build Info" that contains all the out for 'dependency-check-build-task'

@aikebah
Copy link
Collaborator

aikebah commented Apr 17, 2024

You need to check with the authors and documentation of the azure dependency-check-build-task how to obtain the output of the dependencycheck.sh that they invoke in the task.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants