dependency-check / dependency-check_action Goto Github PK
View Code? Open in Web Editor NEWThis project forked from santandersecurityresearch/dependencycheck_action
Github action to run dependency check
License: MIT License
This project forked from santandersecurityresearch/dependencycheck_action
Github action to run dependency check
License: MIT License
It would be great to parse the output and pipe it directly in a PR comment (similar to how Semgrep does it). Most devs are unlikely to care to go look into an output file (unless they absolutely have to), so it's just more friction.
Hey,
I am unsuccessfully trying to exclude a directory from the analysis the following way:
- name: Run owasp dependency check
uses: dependency-check/Dependency-Check_Action@main
with:
project: 's3-metadata-tagger'
path: '.'
format: 'HTML'
args: >
--failOnCVSS 6
--exclude '**/examples/*'
Do you know what the correct syntax for exclude a directory is?
The directory layout of the project is so that the top level directory containes src/
and examples/
, with examples
further containing a directory in which a package-lock.json
lies
You can take a look at the layout here
Hi,
I am trying to execute Action and it is showing me the error
Error: Failed to request component-reports
Error: Failed to request component-reports
Searching this error a bit tells that it might be due to Sonatype Index searching, so I put the --disableOssIndex arguement in args for my Github Action. But it does not seem to solve my problem. Adding this argument locally does solve the error but not in Action. Can you tell me the correct syntax to add this argument in my action or is there something else I need to do?
I am having trouble getting the report published when --failOnCVSS
arg is set. The report doesn't seem to get generated.
Here is my workflow:
on:
pull_request:
branches:
- main
jobs:
depchecktest:
runs-on: ubuntu-latest
name: Dependency Check
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Set up Node 16
uses: actions/setup-node@v2
with:
node-version: 16
- name: Install
run: npm ci
- name: Depcheck
uses: dependency-check/Dependency-Check_Action@main
id: Depcheck
with:
project: 'My project'
path: '.'
format: 'HTML'
out: 'reports' # this is the default, no need to specify unless you wish to override it
args: >
--enableRetired
- name: Upload Test results
uses: actions/upload-artifact@master
with:
name: DependencyCheck Report
path: ${{github.workspace}}/reports
Here is the outcome:
Scenario:
Invoked as a github actions, running on self-hosted runners
Runners are using runner.runner
for their UID/GID
Running with:
depcheck:
runs-on: self-hosted
name: OWASP DepCheck
steps:
- name: Depcheck
uses: dependency-check/Dependency-Check_Action@main
with:
project: ${{ github.event.repository.name }}
path: '.'
format: 'HTML'
args: >
--failOnCVSS 7
--enableRetired
- name: Upload OWASP Test results
uses: actions/upload-artifact@master
with:
name: Depcheck report
path: ${{github.workspace}}/reports
This leaves behind artifacts (in the workspace's reports folder) as root.root
, and subsequent steps or jobs run on the same machine will fail.
For example, running this (after a scan)
steps:
- name: Checkout Reset for next validations
uses: actions/checkout@v2
Will have this error (with Github Actions debugging enabled):
Cleaning the repository
/usr/bin/git clean -ffdx
warning: failed to remove reports/dependency-check-report.html: Permission denied
Removing node_modules/
##[debug]The clean command failed. This might be caused by: 1) path too long, 2) permission issue, or 3) file in use. For futher investigation, manually run 'git clean -ffdx' on the directory '/runner/_work/test-demo/test-demo'.
::endgroup::
Warning: Unable to clean or reset the repository. The repository will be recreated instead.
Deleting the contents of '/runner/_work/test-demo/test-demo'
##[debug]Unsetting HOME override
::remove-matcher owner=checkout-git::
##[debug]Removed matchers: 'checkout-git'
Error: Command failed: rm -rf /runner/_work/test-demo/test-demo/reports
rm: cannot remove '/runner/_work/test-demo/test-demo/reports/dependency-check-report.html': Permission denied
That location on the runners now has:
drwxr-xr-x 4 runner runner 34 Jun 29 00:23 .
drwxr-xr-x 3 runner runner 26 Jun 5 14:10 ..
drwxr-xr-x 2 root root 42 Jun 29 00:14 reports
I would guess it might be because of this:
https://github.com/dependency-check/Dependency-Check_Action/blob/main/Dockerfile#L11
(Sets USER root
)
Since packages are not being installed anymore:
cd2308e
is the root user still needed?
Hi,
Sorry if this is the wrong place to ask this question. Would it be possible to push a new version of owasp/dependency-check-action
on docker hub that uses dependency-check v9.0.0? We're using your docker image to speed up our CI builds, and they are currently failing because we're using the latest version of the dependency-check maven plugin against an older format of the database.
Thanks.
Hey, I would need to be able to override the output path for the reports, could we modify the action to do it ? I was thinking of adding a variable with a default value:
inputs:
out:
required: true
default: 'reports'
and then updating this line to use it: '/github/workspace/${{ inputs.out }}'
Another improvement could be to use the did not know it was a mounted volume my bad, I updated the code above :Sgithub.workspace
variable in place of /github/workspace
cannot specify multiple output formats in format
parameter
an alternative is to specify -f <format>
multiple times in args
, but this creates a weird redundant structure where formats are being specified in two separate arguments
with:
format: JSON
args: >
-f HTML
at this point I'd suggest just getting rid of format
argument altogether and let people specify it in args
directly
For that matter, why not just have an args
argument and get rid of the rest? It's just a wrapper to the cli that people can then call directly?
Any chance we can get this to support Windows GitHub Actions runners? Since you're using a docker container action, I'm pretty sure it will only work on Linux (see https://docs.github.com/en/actions/creating-actions/creating-a-docker-container-action). The Azure Pipelines equivalent interacts with the dependency-check tool directly within the agent itself (downloading it, ensuring Java is present and setup well, etc.), which allows it to be used on both Windows and Linux.
If I'm mistaken and this should work, just let me know and I'll give it a shot. Otherwise, if I'm correct, you might want to update the readme.md to list this as a limitation.
Hi,
I am scanning a Podfile (Swift project) and this is my action:
name: Dependency Checker
on: [push]
jobs:
depchecktest:
runs-on: ubuntu-latest
name: depecheck_test
steps:
- name: Checkout
uses: actions/checkout@v2
- name: List files in the workspace
run: |
ls ${{ github.workspace }}
- name: Depcheck
uses: dependency-check/Dependency-Check_Action@main
id: Depcheck
with:
project: 'test'
path: '.'
format: 'HTML'
args: >
--enableExperimental
--scan Podfile.lock
--failOnCVSS 5
- name: Upload Test results
uses: actions/upload-artifact@master
with:
name: Depcheck report
path: ${{github.workspace}}/reports
If I run this the first time the HTML report is generated and added to the Github Action run. But if I run it the 2nd time the "Depcheck" stage is getting an error, even though the output looks exactly like the first run of this step. Afterwards the test results are not uploaded. Any idea what the problem might be?
At the moment I believe the scan simply outputs a file, but in line with #3, it would be cool to be able to stipulate that only findings of a given severity or higher (e.g. Medium) are alerted, at least in a PR comment (the full report can still be included as a file if one is interested in all findings). Similarly, another variable to control whether or not the current scan should block the CI from a given severity (e.g. High).
Given the current issue in the upstream from here: jeremylong/DependencyCheck#6029, the action forced the --noUpdate
flag here:
Dependency-Check_Action/action.yml
Line 33 in 3102a65
--purge
.I am having trouble using the workflow to scan a repo with with locally referenced modules. When the workflow runs, I am getting a few warnings about skipping the locally referenced modules in my package.json
and then the process fails with the following errors:
Error: NodeAuditAnalyzer failed on /github/workspace/package-lock.json
Error: Cannot invoke "javax.json.JsonString.getString()" because the return value of "org.glassfish.json.JsonObjectBuilderImpl$JsonObjectImpl.getJsonString(String)" is null
Error: Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.
Here is how the local references look in the package.json:
"dependencies": {
"@some-project/module1": "file:dist/libs/module1",
"@some-project/module2": "file:dist/libs/module2",
....
}
owasp_dependency_check:
needs: compile
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Java
uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 21
- name: Restore Gradle Cache
uses: actions/cache/restore@v4
with:
path: |
~/.gradle/caches
~/.gradle/wrapper
key: gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}-${{ github.run_id }}-${{ github.run_number }}
- name: OWASP dependency check
id: owasp-dependency-check
uses: dependency-check/Dependency-Check_Action@main
env:
# actions/setup-java changes JAVA_HOME, so it needs to be reset to match the depcheck image
JAVA_HOME: /opt/jdk
with:
project: my-project-name
format: HTML
args: |
--failOnCVSS 8
--suppression config/owasp-dependency-check-suppression.xml
timeout-minutes: 10
- name: Archive OWASP Dependency Check Report
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
with:
name: owasp-dependency-check-reports
path: reports/dependency-check-report.html
The report is empty. The only dependency it scans is /github/workspace/gradle/wrapper/gradle-wrapper.jar
. Does it have to happen in the same job as my gradle compile step? I like breaking out separate jobs so that they can be run in parallel.
Error message received:
Error: JAVA_HOME is not defined correctly.
We cannot execute /opt/hostedtoolcache/Java_Adopt_jdk/8.0.292-1/x64/bin/java
GitHub action used:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up JDK
uses: actions/setup-java@v2
with:
java-version: '8'
distribution: 'adopt'
- name: Build with Maven
run: mvn --batch-mode --update-snapshots verify
- name: Dependency Check
uses: dependency-check/[email protected]
id: dependency-check
with:
project: 'test'
path: '.'
format: 'HTML'
args: >
--failOnCVSS 7
--enableRetired
I'm having trouble getting the argument --failOnCVSS
to work, but it doesn't seem to be passed through. I have tried to copy the setup in the README.md in this repo, but no luck.
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/[email protected]
# https://github.com/actions/checkout/releases
with:
fetch-depth: 0 # Fetch all branches and tags to determine semantic version
- name: Setup .NET
uses: actions/[email protected]
# https://github.com/actions/setup-dotnet/releases
with:
dotnet-version: 6.0.x
include-prerelease: true
- name: Build with dotnet
run: dotnet build --configuration Release
- name: Dependency Check
uses: dependency-check/[email protected]
uses: dependency-check/[email protected]
id: deptcheck
with:
project: "Some"
path: "."
format: "HTML"
args: --failOnCVSS 3
- name: Upload Test results
uses: actions/upload-artifact@master
with:
name: Depcheck report
path: ${{github.workspace}}/reports
my "Run dependency check actions" step works and produces dependency issues, but my "Post Run dependency check action" step fails. It currently fails because it cannot find the action.yml file within the file location I specified. If I run an "ls " command before running the dependency scan I have a file there, but if I put the ls command after the scan it fails. Where in this action is the "Post Run dependency check action" initiated and how can I either fix this or remove it.
Looking at the scan
parameter
Dependency-Check_Action/action.yml
Lines 27 to 28 in 1b5d19f
If a .
is provided here (as is the default), won't it just scan the home directory inside the container? github's working directory is mounted at /github/workspace
(as indicated by the out
parameter in
Dependency-Check_Action/action.yml
Lines 31 to 32 in 1b5d19f
So doesn't /github/workspace
need to be prefixed to inputs.path
(if it's a relative path), to scan in github's actual workspace?
additionally what do you do if someone provides absolute paths (in this case and in the case of out
)?
i can do a pr if needed
When attempting to have multiple arguments (in my case, --disableYarnAudit --failOnCVSS 7
), they are submitted as one argument though.
Configured action:
- name: dependency-check
uses: dependency-check/Dependency-Check_Action@main
id: dependency-check
with:
project: 'project'
path: '.'
format: 'HTML'
others: '--disableYarnAudit --failOnCVSS 7'
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.