(DEPRECATED) OWASP cross-platform Dependency Checker

This plugin is deprecated, because we stop using self hosted SonarQube instances. If you only need Azure DevOps integration with the DependencyCheck tool, you can use https://marketplace.visualstudio.com/items?itemName=dependency-check.dependencycheck instead.

This plugin will be permanently deleted after 31-12-2022.

This extension uses the OWASP dependency check cli tool to scan your dependencies for known vulnerabilities and create a report listing all findings. If you use SonarQube in your pipeline it will also configure your SonarQube analysis to reuse the vulnerability report.

Features

• Cross-platform: The task is written in Typescript so it will run on all azure devops supported platforms.
• Cloud and Server: Can be installed in azure devops cloud and azure devops server due to installing the cli tool just-in-time.
• Tool installer: The task will install OWASP dependency check cli on first run and cache it on the build agent.
• SonarQube integration: If SonarQube analysis is enabled in your build pipeline, the task automatically configures SonarQube to pick up the dependency check reports. This extension must be installed in SonarQube for the integration to work.

Installation and Configuration

• Install the extension to your organisation. Both online and on premise Azure DevOps are supported.
• Edit your pipeline and add the task. Both Linux and windows agents are supported. A Java runtime is required.
• Configure the scanDirectory parameter to point to the directory containing your dependencies.

YAML pipelines

If you use YAML pipelines add the following yaml to your pipeline file.

  - task: OWASPDependencyCheck@0
    inputs:
      outputDirectory: '$(Agent.TempDirectory)/dependency-scan-results'
      scanDirectory: '$(Build.SourcesDirectory)'
      outputFormat: 'ALL'
      useSonarQubeIntegration: true

Multiple scan paths

If you want to scan multiple paths this can be done like below.

- task: InfoSupport.infosupport-owasp-dependecy-checker.owasp-dependency-check.OWASPDependencyCheck@0
  displayName: 'Execute OWASP Dependency Check'
  inputs:
    scanDirectory: '"$(Build.SourcesDirectory)/ABCSolution/XYZServices"'
    additionalArguments: '--scan "$(Build.SourcesDirectory)/ABCSolution/XYZAPI" --scan "$(Build.SourcesDirectory)/ABCSolution/XYZAPI"'

SonarQube integration setup

If you want to use the reports in your SonarQube analysis, make sure you have the OWASP Dependency Check plugin for SonarQube installed in your SonarQube instance.

To use the integration make sure to include the task after the 'Prepare Analysis Configuration' task and before the 'Run Code Analysis' task.

How SonarQube integration works

The integration works by adding the dependency-check specific settings to your SonarQube analysis parameter environment variable. These extra parameters will make sure that that the analyser will find the reports.

Automatic cli tool installation

The owasp dependency check cli tool will be automatically downloaded, extracted and cached on your agents. Hosted agents are supported. A Java runtime is required.

Caching

If you combine dependency-check with the Cache task you can avoid downloading the CVE index:

  - task: Cache@2
    inputs:
      key: 'dependency-check | "$(Agent.OS)" | **/pom.xml'
      restoreKeys: |
        dependency-check | "$(Agent.OS)"
        dependency-check
      path: '$(Pipeline.Workspace)/dependency-check-data'

  - task: OWASPDependencyCheck@0
    inputs:
      additionalArguments: '--data $(Pipeline.Workspace)/dependency-check-data'

On the second run dependency-check reuses the cached h2 database and will only download the index if the update interval has expired.

Debugging

odc log will give you the details of each step while scanning and also list any issues during the plugin scan. odc logs will be displayed when using the following additional argument.

  - task: OWASPDependencyCheck@0
    inputs:
      additionalArguments: '--log odc.log'

Acknowledgements

Thanks to Jeremy Long for his great work on the cli tool.