【发布时间】:2021-03-18 13:09:56
【问题描述】:
当我针对 java 项目在本地运行 mvn verify 时。 Owasp 返回相当多的已发现漏洞列表。但是,当我使用 owasp 插件在 azure devops 管道中进行相同的测试时,它返回 0 个漏洞。两个测试都扫描目录的顶层。
following Owasp 插件已在 azure devops 中启用
设置:
Azure 管道模板
# owasp-dependency-check.yml@templates
parameters:
- name: scanDir
default: $(System.DefaultWorkingDirectory)
type: string
steps:
- task: OWASPDependencyCheck@0
inputs:
outputDirectory: '$(Agent.TempDirectory)/dependency-scan-results'
scanDirectory: ${{ parameters.scanDir }}
outputFormat: 'HTML'
useSonarQubeIntegration: True
- task: PublishPipelineArtifact@1
inputs:
targetPath: '$(Agent.TempDirectory)'
artifact: 'dependency-scan-results'
publishLocation: 'pipeline'
Azure 管道
# azure-pipeline.yml
resources:
repositories:
- repository: templates
type: git
name: sandbox-reusable-tasks
stages:
- stage: Scan
displayName: Scan
jobs:
- job: Owasp
steps:
- template: owasp-dependency-check.yml@templates
jar 分析器似乎没有运行。这是运行时的日志记录:
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (2 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (2 seconds)
Finishing: OWASPDependencyCheck
【问题讨论】:
-
在运行
OWASPDependencyCheck任务之前,您可以尝试添加maven task来构建您的项目吗? -
好主意。当我在同一个代理上构建时,它可以工作。在此之前,我一直在努力发布和下载工件。
标签: azure-devops dependencies azure-pipelines owasp azure-devops-extensions