As you know OWASP Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining the if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
In this article, I want to introduce with you how apply the dependency-check to real project.
First of all, you can refer Command Line Arguments here.
Second, in order to save the time to download the API database during the build then you should request an API key here.
Let go to the main of the article. I will guide you the advanced argument with –nvdApiKey and –propertyfile
With –nvdApiKey then you use is as variable parameter normally.
- task: UseDotNet@2
displayName: 'Install .NET Core SDK 6'
inputs:
packageType: 'sdk'
version: '6.x'
includePreviewVersions: true
performMultiLevelLookup: true
- task: dependency-check-build-task@6
displayName: 'Dependency Check'
inputs:
projectName: ''
scanPath: 'src'
format: 'HTML, JUNIT'
failOnCVSS: '8'
additionalArguments: '--nvdApiKey $(nvdApiKey)'
- task: PublishTestResults@2
displayName: Publish OWASP Dependency Check security scan results
inputs:
testResultsFormat: 'JUnit'
testResultsFiles: 'dependency-check/*junit.xml'
searchFolder: '$(Common.TestResultsDirectory)'
#failTaskOnFailedTests: true
#failTaskOnFailureToPublishResults: true
#failTaskOnMissingResultsFile: true
testRunTitle: 'Dependency Check'
buildConfiguration: '$(BuildConfiguration)'With –propertyfile then you have to create variable with the Secure files. Need to a step download a secure file first and it stored at the path $(Agent.TempDirectory)/securefile_name.
- task: DownloadSecureFile@1
displayName: 'nvdApiKey Securefile'
inputs:
secureFile: 'securefile_name'
- task: UseDotNet@2
displayName: 'Install .NET Core SDK 6'
inputs:
packageType: 'sdk'
version: '6.x'
includePreviewVersions: true
performMultiLevelLookup: true
- task: dependency-check-build-task@6
displayName: 'Dependency Check'
inputs:
projectName: ''
scanPath: 'src'
format: 'HTML, JUNIT'
failOnCVSS: '8'
additionalArguments: '--propertyfile $(Agent.TempDirectory)/securefile_name'
- task: PublishTestResults@2
displayName: Publish OWASP Dependency Check security scan results
inputs:
testResultsFormat: 'JUnit'
testResultsFiles: 'dependency-check/*junit.xml'
searchFolder: '$(Common.TestResultsDirectory)'
#failTaskOnFailedTests: true
#failTaskOnFailureToPublishResults: true
#failTaskOnMissingResultsFile: true
testRunTitle: 'Dependency Check'
buildConfiguration: '$(BuildConfiguration)'Note: I am using .Net core SDK 6 because Dependency-check does not support .net 8 at the moment.