Closed Windos closed 1 year ago
This has now been tested and is working well. The new Dependency-Check task has been slotted in just before the Finalise-SonarQube task.
The result is that the dependency-check data is available in SonarQube for the project that has been built, this takes the form of both an HTML report that can be viewed in its totality and also data that is blended into the other code measures and issues.
Unfortunately, Cake.DependencyCheck and DependencyCheck.Runner.Tool are rather outdated at the moment. They're still useful wrappers, but the "bits" inside the Runner tool needed to be updated in order to get things working. Hence, you'll note that a newer version of Dependency-Check is downloaded as part of the task.
This is very close to being ready to merge, just a couple of things that I would like to discuss with you. Hoping to jump on a call with you tomorrow to talk them through.
@Windos thank you very much for getting this added!
Description Of Changes
This PR adds a Dependency-Check step that, by default, runs under same conditions as the SonarQube step that was added in #97.
The task should run before the
Initialize-SonarQube
task as that step needs to know about the reports generated by Dependency-Check.Motivation and Context
Enables management of vulnerabilities in project dependencies, including consumption of reports via the SonarQube interface alongside direct code issues.
Testing
Testing is pending completion.
Operating Systems Testing
N/A
Change Types Made
Change Checklist
Related Issue