search

dependency-check / Dependency-Check_Action

Github action to run dependency check
MIT License
71 stars 31 forks source link

What is required to get this to work? #30

Open efenderbosch-atg opened 5 months ago

efenderbosch-atg commented 5 months ago 
  owasp_dependency_check:
    needs: compile
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Java
        uses: actions/setup-java@v4
        with:
          distribution: temurin
          java-version: 21

      - name: Restore Gradle Cache
        uses: actions/cache/restore@v4
        with:
          path: |
            ~/.gradle/caches
            ~/.gradle/wrapper
          key: gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}-${{ github.run_id }}-${{ github.run_number }}

      - name: OWASP dependency check
        id: owasp-dependency-check
        uses: dependency-check/Dependency-Check_Action@main
        env:
          # actions/setup-java changes JAVA_HOME, so it needs to be reset to match the depcheck image
          JAVA_HOME: /opt/jdk
        with:
          project: my-project-name
          format: HTML
          args: |
            --failOnCVSS 8
            --suppression config/owasp-dependency-check-suppression.xml
        timeout-minutes: 10

      - name: Archive OWASP Dependency Check Report
        if: ${{ !cancelled() }}
        uses: actions/upload-artifact@v4
        with:
          name: owasp-dependency-check-reports
          path: reports/dependency-check-report.html

The report is empty. The only dependency it scans is /github/workspace/gradle/wrapper/gradle-wrapper.jar. Does it have to happen in the same job as my gradle compile step? I like breaking out separate jobs so that they can be run in parallel.

finnlander commented 4 months ago

Hi,

I was experiencing similar behavior and got it solved by adding a step that handles downloading the dependencies that should be scanned. i.e. something like this:

      - name: Preparation for OWASP Dependency check
        run: "./gradlew build -x test"
        working-directory: ${{ github.workspace }}

Perhaps it helps in your case as well 🙂 .

If I recall it correctly, the provided examples are with maven, but it shows there too that the action requires some pre-step that triggers downloading the dependencies before executing it.