Dependency CVE check dashboard widget
The Dependency CVE check dashboard widget shows you the number of dependencies in your projects with known common vulnerabilities and exposures (CVEs) on an Azure DevOps dashboard. It shows you this result for the latest build and the changes since the previous build according to the filter criteria set (the builds must use the OWASP dependency check and save its result in form of a json file as a build attachment for extensions, note that this is different from the build artifacts).
Important: You need to use the OWASP dependency check (there's another extension for that here) during your build and generate at least a result in the JSON format which you then upload as an attachment to the build (not just as an artifact, see below on how to do that). You probably also want a result in the HTML format in the build artifacts to see what exactly changed when a dependency with CVEs was added or removed, but this is not needed for this dashboard widget to work.
The meaning of the background color of the widget for a build is as follows:
The pictured example status of the widget will tell you that:
The pipeline name filter is mandatory, all other filter criterias are optional.
The attachment type and attachment name settings are also mandatory (but these are no filters) and should contain the attachment type and attachment name used to save the OWASP dependency check result json data for the build as an attachment.
You will then need to upload this file as an attachment to the build in an extra buildstep after the OWASP dependency check by printing out the following Azure pipelines logging command to the console:
Where <AttachmentType> and <AttachmentName> must be replaced with the values you are then using for attachment type and attachment name in the configuration of the dashboard widget (so it can find the attachment) and <PathToJsonResultFile> must be replaced with the path to the resulting json file from the OWASP dependency check. Attachment type and attachment name are arbitrary values and do not need to be of a specific value, they just need to be the same between attachment upload command and dashboard widget configuration. So for the default values you could use the following powershell core buildstep in a yaml pipeline to upload the file as an attachment and use "DependencyCheck" as the attachment type and "dependency-check-report.json" as attachment name (powershell core must be installed on the build agent for this example to work):
If you click on the displayed number of dependencies with CVEs for the current or previous build in the dashboard widget you will be redirected to the respective build.
If no previous build with dependency check data for the set filters was found only the data for the current/latest dependency check build will be displayed.
This example configuration will display the number of dependencies with CVEs of the last and previous build according to the following filters (all filter criteria must be met):
and it will search for the following build attachment, expecting the OWASP dependency check data saved in it: