如何解决azure-devops owasp 插件找不到依赖项
当我在本地运行 mvn verify 时,针对 Java 项目。 Owasp 返回了相当多的已发现漏洞列表。但是,当我在 azure devops 管道中使用 owasp 插件进行相同的测试时,它返回 0 个漏洞。两个测试都扫描目录的顶层。
following Owasp 插件在 azure devops 中启用
设置:
Azure 管道模板
# owasp-dependency-check.yml@templates
parameters:
- name: scanDir
default: $(System.DefaultWorkingDirectory)
type: string
steps:
- task: OwaspDependencyCheck@0
inputs:
outputDirectory: '$(Agent.TempDirectory)/dependency-scan-results'
scanDirectory: ${{ parameters.scanDir }}
outputFormat: 'HTML'
useSonarQubeIntegration: True
- task: PublishPipelineArtifact@1
inputs:
targetPath: '$(Agent.TempDirectory)'
artifact: 'dependency-scan-results'
publishLocation: 'pipeline'
Azure 管道
# azure-pipeline.yml
resources:
repositories:
- repository: templates
type: git
name: sandBox-reusable-tasks
stages:
- stage: Scan
displayName: Scan
jobs:
- job: Owasp
steps:
- template: owasp-dependency-check.yml@templates
重点:
看起来 jar 分析器没有运行。这是运行时的日志记录:
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (2 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (2 seconds)
Finishing: OwaspDependencyCheck
解决方法
我已经安装了官方的 Owasp plugin。我正在使用带有声纳集成的分支。 除此之外,我在运行检查之前在同一个代理上构建了项目。这可确保要扫描的文件在代理上可用(在执行 artifactPublish 和 artifactDeploy 任务时遇到困难)。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。