azure-devops owasp 插件找不到依赖项
azure-devops owasp plugin doesn't find dependencies
当我 运行 mvn verify 在本地针对一个 java 项目。 Owasp returns 相当多的已发现漏洞列表。但是,当我使用 owasp 插件在 azure devops 管道中进行相同的测试时,它 returns 0 个漏洞。两个测试都扫描目录的顶层。
following Owasp 插件在 azure devops 中启用
设置:
Azure 管道模板
# owasp-dependency-check.yml@templates
parameters:
- name: scanDir
default: $(System.DefaultWorkingDirectory)
type: string
steps:
- task: OWASPDependencyCheck@0
inputs:
outputDirectory: '$(Agent.TempDirectory)/dependency-scan-results'
scanDirectory: ${{ parameters.scanDir }}
outputFormat: 'HTML'
useSonarQubeIntegration: True
- task: PublishPipelineArtifact@1
inputs:
targetPath: '$(Agent.TempDirectory)'
artifact: 'dependency-scan-results'
publishLocation: 'pipeline'
Azure 管道
# azure-pipeline.yml
resources:
repositories:
- repository: templates
type: git
name: sandbox-reusable-tasks
stages:
- stage: Scan
displayName: Scan
jobs:
- job: Owasp
steps:
- template: owasp-dependency-check.yml@templates
妙语:
jar 分析器似乎没有 运行。这是 运行 时间的记录:
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (2 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (2 seconds)
Finishing: OWASPDependencyCheck
我安装了官方Owasp plugin。我正在使用带有 sonarqube 集成的分支。
除此之外,我还在 运行 检查之前在同一个代理上构建了项目。这确保了要扫描的文件在代理上可用(在执行 artifactPublish 和 artifactDeploy 任务时遇到困难)。
当我 运行 mvn verify 在本地针对一个 java 项目。 Owasp returns 相当多的已发现漏洞列表。但是,当我使用 owasp 插件在 azure devops 管道中进行相同的测试时,它 returns 0 个漏洞。两个测试都扫描目录的顶层。
following Owasp 插件在 azure devops 中启用
设置:
Azure 管道模板
# owasp-dependency-check.yml@templates
parameters:
- name: scanDir
default: $(System.DefaultWorkingDirectory)
type: string
steps:
- task: OWASPDependencyCheck@0
inputs:
outputDirectory: '$(Agent.TempDirectory)/dependency-scan-results'
scanDirectory: ${{ parameters.scanDir }}
outputFormat: 'HTML'
useSonarQubeIntegration: True
- task: PublishPipelineArtifact@1
inputs:
targetPath: '$(Agent.TempDirectory)'
artifact: 'dependency-scan-results'
publishLocation: 'pipeline'
Azure 管道
# azure-pipeline.yml
resources:
repositories:
- repository: templates
type: git
name: sandbox-reusable-tasks
stages:
- stage: Scan
displayName: Scan
jobs:
- job: Owasp
steps:
- template: owasp-dependency-check.yml@templates
妙语:
jar 分析器似乎没有 运行。这是 运行 时间的记录:
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (2 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (2 seconds)
Finishing: OWASPDependencyCheck
我安装了官方Owasp plugin。我正在使用带有 sonarqube 集成的分支。 除此之外,我还在 运行 检查之前在同一个代理上构建了项目。这确保了要扫描的文件在代理上可用(在执行 artifactPublish 和 artifactDeploy 任务时遇到困难)。