dependency-check / dependency-check_action Goto Github PK

It would be great to parse the output and pipe it directly in a PR comment (similar to how Semgrep does it). Most devs are unlikely to care to go look into an output file (unless they absolutely have to), so it's just more friction.

Hey,
I am unsuccessfully trying to exclude a directory from the analysis the following way:

      - name: Run owasp dependency check
        uses: dependency-check/Dependency-Check_Action@main
        with:
          project: 's3-metadata-tagger'
          path: '.'
          format: 'HTML'    
          args: >
            --failOnCVSS 6
            --exclude '**/examples/*'

Do you know what the correct syntax for exclude a directory is?

The directory layout of the project is so that the top level directory containes src/ and examples/, with examples further containing a directory in which a package-lock.json lies

You can take a look at the layout here

Hi,
I am trying to execute Action and it is showing me the error
Error: Failed to request component-reports
Error: Failed to request component-reports
Searching this error a bit tells that it might be due to Sonatype Index searching, so I put the --disableOssIndex arguement in args for my Github Action. But it does not seem to solve my problem. Adding this argument locally does solve the error but not in Action. Can you tell me the correct syntax to add this argument in my action or is there something else I need to do?

I am having trouble getting the report published when --failOnCVSS arg is set. The report doesn't seem to get generated.
Here is my workflow:

on:
  pull_request:
    branches: 
      - main

jobs:
  depchecktest:
    runs-on: ubuntu-latest
    name: Dependency Check
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Set up Node 16
        uses: actions/setup-node@v2
        with:
          node-version: 16
      - name: Install
        run: npm ci
      - name: Depcheck
        uses: dependency-check/Dependency-Check_Action@main
        id: Depcheck
        with:
          project: 'My project'
          path: '.'
          format: 'HTML'
          out: 'reports' # this is the default, no need to specify unless you wish to override it
          args: >
            --enableRetired
      - name: Upload Test results
        uses: actions/upload-artifact@master
        with:
           name: DependencyCheck Report
           path: ${{github.workspace}}/reports

Here is the outcome:

Scenario:

Invoked as a github actions, running on self-hosted runners
Runners are using runner.runner for their UID/GID

Running with:

  depcheck:
    runs-on: self-hosted
    name: OWASP DepCheck
    steps: 
      - name: Depcheck
        uses: dependency-check/Dependency-Check_Action@main
        with:
          project: ${{ github.event.repository.name }}
          path: '.'
          format: 'HTML'
          args: >
            --failOnCVSS 7
            --enableRetired

      - name: Upload OWASP Test results
        uses: actions/upload-artifact@master
        with:
          name: Depcheck report
          path: ${{github.workspace}}/reports

This leaves behind artifacts (in the workspace's reports folder) as root.root, and subsequent steps or jobs run on the same machine will fail.

For example, running this (after a scan)

steps:
      - name: Checkout Reset for next validations
        uses: actions/checkout@v2

Will have this error (with Github Actions debugging enabled):

Cleaning the repository
  /usr/bin/git clean -ffdx
  warning: failed to remove reports/dependency-check-report.html: Permission denied
  Removing node_modules/
  ##[debug]The clean command failed. This might be caused by: 1) path too long, 2) permission issue, or 3) file in use. For futher investigation, manually run 'git clean -ffdx' on the directory '/runner/_work/test-demo/test-demo'.
  ::endgroup::
Warning: Unable to clean or reset the repository. The repository will be recreated instead.
Deleting the contents of '/runner/_work/test-demo/test-demo'
##[debug]Unsetting HOME override
::remove-matcher owner=checkout-git::
##[debug]Removed matchers: 'checkout-git'
Error: Command failed: rm -rf /runner/_work/test-demo/test-demo/reports
rm: cannot remove '/runner/_work/test-demo/test-demo/reports/dependency-check-report.html': Permission denied

That location on the runners now has:
drwxr-xr-x 4 runner runner 34 Jun 29 00:23 .
drwxr-xr-x 3 runner runner 26 Jun 5 14:10 ..
drwxr-xr-x 2 root root 42 Jun 29 00:14 reports

I would guess it might be because of this:
https://github.com/dependency-check/Dependency-Check_Action/blob/main/Dockerfile#L11

(Sets USER root )

Since packages are not being installed anymore:
cd2308e

is the root user still needed?

Hi,

Sorry if this is the wrong place to ask this question. Would it be possible to push a new version of owasp/dependency-check-action on docker hub that uses dependency-check v9.0.0? We're using your docker image to speed up our CI builds, and they are currently failing because we're using the latest version of the dependency-check maven plugin against an older format of the database.

Thanks.

Hey, I would need to be able to override the output path for the reports, could we modify the action to do it ? I was thinking of adding a variable with a default value:

inputs:
  out:
    required: true
    default: 'reports'

and then updating this line to use it: '/github/workspace/${{ inputs.out }}'

Another improvement could be to use the github.workspace variable in place of /github/workspace did not know it was a mounted volume my bad, I updated the code above :S

cannot specify multiple output formats in format parameter

an alternative is to specify -f <format> multiple times in args, but this creates a weird redundant structure where formats are being specified in two separate arguments

with:
  format: JSON
  args: >
    -f HTML

at this point I'd suggest just getting rid of format argument altogether and let people specify it in args directly

For that matter, why not just have an args argument and get rid of the rest? It's just a wrapper to the cli that people can then call directly?

Any chance we can get this to support Windows GitHub Actions runners? Since you're using a docker container action, I'm pretty sure it will only work on Linux (see https://docs.github.com/en/actions/creating-actions/creating-a-docker-container-action). The Azure Pipelines equivalent interacts with the dependency-check tool directly within the agent itself (downloading it, ensuring Java is present and setup well, etc.), which allows it to be used on both Windows and Linux.

If I'm mistaken and this should work, just let me know and I'll give it a shot. Otherwise, if I'm correct, you might want to update the readme.md to list this as a limitation.

Hi,

I am scanning a Podfile (Swift project) and this is my action:

name: Dependency Checker

on: [push]

jobs:
  depchecktest:
    runs-on: ubuntu-latest
    name: depecheck_test
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: List files in the workspace
        run: |
          ls ${{ github.workspace }}
      - name: Depcheck
        uses: dependency-check/Dependency-Check_Action@main
        id: Depcheck
        with:
          project: 'test'
          path: '.'
          format: 'HTML'    
          args: >
            --enableExperimental 
            --scan Podfile.lock
            --failOnCVSS 5
      - name: Upload Test results
        uses: actions/upload-artifact@master
        with:
           name: Depcheck report
           path: ${{github.workspace}}/reports

If I run this the first time the HTML report is generated and added to the Github Action run. But if I run it the 2nd time the "Depcheck" stage is getting an error, even though the output looks exactly like the first run of this step. Afterwards the test results are not uploaded. Any idea what the problem might be?

At the moment I believe the scan simply outputs a file, but in line with #3, it would be cool to be able to stipulate that only findings of a given severity or higher (e.g. Medium) are alerted, at least in a PR comment (the full report can still be included as a file if one is interested in all findings). Similarly, another variable to control whether or not the current scan should block the CI from a given severity (e.g. High).

Given the current issue in the upstream from here: jeremylong/DependencyCheck#6029, the action forced the --noUpdate flag here:

I am having trouble using the workflow to scan a repo with with locally referenced modules. When the workflow runs, I am getting a few warnings about skipping the locally referenced modules in my package.json and then the process fails with the following errors:
Error: NodeAuditAnalyzer failed on /github/workspace/package-lock.json
Error: Cannot invoke "javax.json.JsonString.getString()" because the return value of "org.glassfish.json.JsonObjectBuilderImpl$JsonObjectImpl.getJsonString(String)" is null
Error: Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.

Here is how the local references look in the package.json:

"dependencies": {
		"@some-project/module1": "file:dist/libs/module1",
                 "@some-project/module2": "file:dist/libs/module2",
                  ....
}

  owasp_dependency_check:
    needs: compile
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Java
        uses: actions/setup-java@v4
        with:
          distribution: temurin
          java-version: 21

      - name: Restore Gradle Cache
        uses: actions/cache/restore@v4
        with:
          path: |
            ~/.gradle/caches
            ~/.gradle/wrapper
          key: gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}-${{ github.run_id }}-${{ github.run_number }}

      - name: OWASP dependency check
        id: owasp-dependency-check
        uses: dependency-check/Dependency-Check_Action@main
        env:
          # actions/setup-java changes JAVA_HOME, so it needs to be reset to match the depcheck image
          JAVA_HOME: /opt/jdk
        with:
          project: my-project-name
          format: HTML
          args: |
            --failOnCVSS 8
            --suppression config/owasp-dependency-check-suppression.xml
        timeout-minutes: 10

      - name: Archive OWASP Dependency Check Report
        if: ${{ !cancelled() }}
        uses: actions/upload-artifact@v4
        with:
          name: owasp-dependency-check-reports
          path: reports/dependency-check-report.html

The report is empty. The only dependency it scans is /github/workspace/gradle/wrapper/gradle-wrapper.jar. Does it have to happen in the same job as my gradle compile step? I like breaking out separate jobs so that they can be run in parallel.

Error message received:

Error: JAVA_HOME is not defined correctly.
We cannot execute /opt/hostedtoolcache/Java_Adopt_jdk/8.0.292-1/x64/bin/java

GitHub action used:

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v2

      - name: Set up JDK
        uses: actions/setup-java@v2
        with:
          java-version: '8'
          distribution: 'adopt'

      - name: Build with Maven
        run: mvn --batch-mode --update-snapshots verify

      - name: Dependency Check
        uses: dependency-check/[email protected]
        id: dependency-check
        with:
          project: 'test'
          path: '.'
          format: 'HTML'
          args: >
            --failOnCVSS 7
            --enableRetired

I'm having trouble getting the argument --failOnCVSS to work, but it doesn't seem to be passed through. I have tried to copy the setup in the README.md in this repo, but no luck.

runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/[email protected]
        # https://github.com/actions/checkout/releases
        with:
          fetch-depth: 0 # Fetch all branches and tags to determine semantic version

      - name: Setup .NET
        uses: actions/[email protected]
        # https://github.com/actions/setup-dotnet/releases
        with:
          dotnet-version: 6.0.x
          include-prerelease: true

      - name: Build with dotnet
        run: dotnet build --configuration Release

      - name: Dependency Check
  	    uses: dependency-check/[email protected]
        uses: dependency-check/[email protected]
        id: deptcheck
        with:
          project: "Some"
          path: "."
          format: "HTML"
          args: --failOnCVSS 3

      - name: Upload Test results
        uses: actions/upload-artifact@master
        with:
          name: Depcheck report
          path: ${{github.workspace}}/reports

my "Run dependency check actions" step works and produces dependency issues, but my "Post Run dependency check action" step fails. It currently fails because it cannot find the action.yml file within the file location I specified. If I run an "ls " command before running the dependency scan I have a file there, but if I put the ls command after the scan it fails. Where in this action is the "Post Run dependency check action" initiated and how can I either fix this or remove it.

Looking at the scan parameter

If a . is provided here (as is the default), won't it just scan the home directory inside the container? github's working directory is mounted at /github/workspace (as indicated by the out parameter in

So doesn't /github/workspace need to be prefixed to inputs.path (if it's a relative path), to scan in github's actual workspace?

additionally what do you do if someone provides absolute paths (in this case and in the case of out)?

i can do a pr if needed

When attempting to have multiple arguments (in my case, --disableYarnAudit --failOnCVSS 7), they are submitted as one argument though.

Configured action:

- name: dependency-check
        uses: dependency-check/Dependency-Check_Action@main
        id: dependency-check
        with:
          project: 'project'
          path: '.'
          format: 'HTML'
          others: '--disableYarnAudit  --failOnCVSS 7'