Dependency CVE check dashboard widget

The Dependency CVE check dashboard widget shows you the number of dependencies in your projects with known common vulnerabilities and exposures (CVEs) on an Azure DevOps dashboard. It shows you this result for the latest build and the changes since the previous build according to the filter criteria set (the builds must use the OWASP dependency check and save its result in form of a json file as a build attachment for extensions, note that this is different from the build artifacts).

Important: You need to use the OWASP dependency check (there's another extension for that here) during your build and generate at least a result in the JSON format which you then upload as an attachment to the build (not just as an artifact, see below on how to do that). You probably also want a result in the HTML format in the build artifacts to see what exactly changed when a dependency with CVEs was added or removed, but this is not needed for this dashboard widget to work.

The meaning of the background color of the widget for a build is as follows:

• Green: No dependencies with CVEs
• Blue: Dependencies with CVEs have been removed (at least one less and no new dependencies with CVEs since last build)
• Yellow: Dependencies with CVEs remain (but no new ones since last build and no dependencies with CVEs have been removed)
• Red: New dependencies with CVEs (even if some or all previous dependencies with CVEs were removed)

The pictured example status of the widget will tell you that:

• There are 7 dependencies with CVEs in the latest build with build number 20230601.17
• There were 8 dependencies with CVEs in the previous build with build number 20230601.16 (which is why its background is yellow)
• There is now one additional dependency with CVEs in the latest build that was not present during previous build (which is why it displays +1 in brackets and why the background for the latest build is red)
• There have been two dependencies with CVEs removed in the latest build compared to the previous build (which is why it displays -2 in brackets)

The pipeline name filter is mandatory, all other filter criterias are optional.
Additionaly to the pipeline name you can filter builds by branch, tags and their build result. Per default all build results will be used, but you should probably reduce this to filter for "Succeeded" or "Partially succeeded" build results only, as failed and canceled builds may not contain any data at all and the dashboard widget will then fail to display any data.
To filter for multiple tags (all listed tags must then be present in a build to be found) just enter them separated by a colon.
If you want to filter for a git tag instead of a branch, you have to begin the branch name with "refs/tags/...". If you do not start the branch name with "refs/" it will automatically add "refs/heads/" before the branch name when filtering and therefore filter for branches.

The attachment type and attachment name settings are also mandatory (but these are no filters) and should contain the attachment type and attachment name used to save the OWASP dependency check result json data for the build as an attachment.
For example: If you're using the OWASP dependency with the default report directory and default report name the json result file will be located at

"$(Common.TestResultsDirectory)/dependency-check/dependency-check-report.json"

You will then need to upload this file as an attachment to the build in an extra buildstep after the OWASP dependency check by printing out the following Azure pipelines logging command to the console:

##vso[task.addattachment type=<AttachmentType>;name=<AttachmentName>]<PathToJsonResultFile>

Where <AttachmentType> and <AttachmentName> must be replaced with the values you are then using for attachment type and attachment name in the configuration of the dashboard widget (so it can find the attachment) and <PathToJsonResultFile> must be replaced with the path to the resulting json file from the OWASP dependency check. Attachment type and attachment name are arbitrary values and do not need to be of a specific value, they just need to be the same between attachment upload command and dashboard widget configuration. So for the default values you could use the following powershell core buildstep in a yaml pipeline to upload the file as an attachment and use "DependencyCheck" as the attachment type and "dependency-check-report.json" as attachment name (powershell core must be installed on the build agent for this example to work):

- pwsh: |
    # Saving of dependency check data file as attachment...
    Write-Host "##vso[task.addattachment type=DependencyCheck;name=dependency-check-report.json]$(Common.TestResultsDirectory)/dependency-check/dependency-check-report.json"
  displayName: Saving Dependency Check data file as attachment

If you click on the displayed number of dependencies with CVEs for the current or previous build in the dashboard widget you will be redirected to the respective build.

If no previous build with dependency check data for the set filters was found only the data for the current/latest dependency check build will be displayed.

Examples configuration

This example configuration will display the number of dependencies with CVEs of the last and previous build according to the following filters (all filter criteria must be met):

• Builds from the pipeline named "ProductOne" (folder in which it is placed doesn't matter, there can only be one pipeline with the same name per project anyways)
• Builds for the branch master
• Builds with the tag "OWASP-DC"
• Builds with results Succeeded or Partially succeeded (but no failed builds, canceled builds or builds without any result)

and it will search for the following build attachment, expecting the OWASP dependency check data saved in it:

• Attachment of type "DependencyCheck"
• Attachment of name "dependency-check-report.json"