search

dependency-check / azuredevops

Dependency Check Azure DevOps Extension
Apache License 2.0
47 stars 25 forks source link

[Suggestion] enable publishing of sarif reports to codeAnalysisLogs build artifact for automatic ingestion to scans tab of pipeline run #103

Closed RolfMoleman closed 7 months ago

RolfMoleman commented 2 years ago

Hi,

Currently the extension enables the publishing of a "Dependency Check" artifact if violations are found. id like to suggest adding in a conditional step such that if a report is generated with the sarif extension it is automatically published to the "CodeAnalysisLogs" artifact for ingestion into the scans tab.

This can currently be achieved by adding an additional step to the pipeline e.g 

    #publish owasp Scan
    - task: PublishBuildArtifacts@1
      condition: succeededOrFailed()
      displayName: "Publish owasp Scan"
      enabled: true
      name: "Publish_owasp_scan"
      inputs:
        PathtoPublish: "$(System.DefaultWorkingDirectory)/OWASP_Report/sarif"
        ArtifactName: "CodeAnalysisLogs"
        publishLocation: "container"

or if publishing multiple file formats:

    #copy sarif files to sarif directory to avoid polluting CodeAnalysisLogs
    - task: Powershell@2
      condition: succeededOrFailed()
      displayName: "Copy Sarif Files"
      enabled: true
      inputs:
        targetType: 'inline'
        script: |
          cd $(System.DefaultWorkingDirectory)/OWASP_Report
          $files = dir
          mkdir sarif
          ForEach($file in $files)
          {
            if($file.extension.Contains("sarif"))
            {
                Copy-Item -Path $file.FullName -Destination sarif -Force
            }
            else
            {
                Write-output $file.FullName "does not need moving"
            }      
          }
        showWarnings: true
        pwsh: true
        workingDirectory: '$(System.DefaultWorkingDirectory)'

    #publish owasp Scan
    - task: PublishBuildArtifacts@1
      condition: succeededOrFailed()
      displayName: "Publish owasp Scan"
      enabled: true
      name: "Publish_owasp_scan"
      inputs:
        PathtoPublish: "$(System.DefaultWorkingDirectory)/OWASP_Report/sarif"
        ArtifactName: "CodeAnalysisLogs"
        publishLocation: "container"

However having this built int he extension would remove the need for this.

Saturate commented 11 months ago

Code is already provided here: https://github.com/dependency-check/azuredevops/pull/93/

We just need to split it out from that, and make a new PR. After the new build pipeline is running, I can look into this.