search

chocolatey / Chocolatey.Cake.Recipe

A set of convention based Cake scripts for building Chocolatey projects
Apache License 2.0
5 stars 9 forks source link

(#110)(ENGTASKS-3098) Add optional Dependency-Check Step #111

Closed Windos closed 1 year ago

Windos commented 1 year ago

Description Of Changes

This PR adds a Dependency-Check step that, by default, runs under same conditions as the SonarQube step that was added in #97.

The task should run before the Initialize-SonarQube task as that step needs to know about the reports generated by Dependency-Check.

Motivation and Context

Enables management of vulnerabilities in project dependencies, including consumption of reports via the SonarQube interface alongside direct code issues.

Testing

Testing is pending completion.

Operating Systems Testing

N/A

Change Types Made

Change Checklist

Related Issue

Windos commented 1 year ago

This has now been tested and is working well. The new Dependency-Check task has been slotted in just before the Finalise-SonarQube task. image

The result is that the dependency-check data is available in SonarQube for the project that has been built, this takes the form of both an HTML report that can be viewed in its totality and also data that is blended into the other code measures and issues.

Unfortunately, Cake.DependencyCheck and DependencyCheck.Runner.Tool are rather outdated at the moment. They're still useful wrappers, but the "bits" inside the Runner tool needed to be updated in order to get things working. Hence, you'll note that a newer version of Dependency-Check is downloaded as part of the task.

gep13 commented 1 year ago

This is very close to being ready to merge, just a couple of things that I would like to discuss with you. Hoping to jump on a call with you tomorrow to talk them through.

gep13 commented 1 year ago

@Windos thank you very much for getting this added!