(DEPRECATED) OWASP cross-platform Dependency CheckerThis plugin is deprecated, because we stop using self hosted SonarQube instances. If you only need Azure DevOps integration with the DependencyCheck tool, you can use https://marketplace.visualstudio.com/items?itemName=dependency-check.dependencycheck instead. This plugin will be permanently deleted after 31-12-2022. This extension uses the OWASP dependency check cli tool to scan your dependencies for known vulnerabilities and create a report listing all findings. If you use SonarQube in your pipeline it will also configure your SonarQube analysis to reuse the vulnerability report. Features
Installation and Configuration
YAML pipelinesIf you use YAML pipelines add the following yaml to your pipeline file.
Multiple scan pathsIf you want to scan multiple paths this can be done like below.
SonarQube integration setupIf you want to use the reports in your SonarQube analysis, make sure you have the OWASP Dependency Check plugin for SonarQube installed in your SonarQube instance. To use the integration make sure to include the task after the 'Prepare Analysis Configuration' task and before the 'Run Code Analysis' task. How SonarQube integration worksThe integration works by adding the dependency-check specific settings to your SonarQube analysis parameter environment variable. These extra parameters will make sure that that the analyser will find the reports. Automatic cli tool installationThe owasp dependency check cli tool will be automatically downloaded, extracted and cached on your agents. Hosted agents are supported. A Java runtime is required. CachingIf you combine dependency-check with the Cache task you can avoid downloading the CVE index:
On the second run dependency-check reuses the cached h2 database and will only download the index if the update interval has expired. Debuggingodc log will give you the details of each step while scanning and also list any issues during the plugin scan. odc logs will be displayed when using the following additional argument.
AcknowledgementsThanks to Jeremy Long for his great work on the cli tool. |