search

dependency-check / azuredevops

Dependency Check Azure DevOps Extension
Apache License 2.0
44 stars 26 forks source link

warnOnCVSSViolation not working with dependency check 8.0.0 #117

Closed stirrblig closed 1 year ago

stirrblig commented 1 year ago

The dependency checker version 8.0.0 has changed its exit codes. https://github.com/jeremylong/DependencyCheck/releases/tag/v8.0.0

The exit codes from the CLI have been changed to be in the range from 0-255

Because of this, the check in https://github.com/dependency-check/azuredevops/blob/main/src/Tasks/dependency-check-build-task/dependency-check-build-task.ts is no longer working, since it's expecting error code 1:

        let failed = exitCode != 0;
        let isViolation = exitCode == 1;
...
        if (failed) {
            if(isViolation) {
                message = "CVSS threshold violation.";

                if(warnOnCVSSViolation) {
                    result = tl.TaskResult.SucceededWithIssues
                }
                else {
                    result = tl.TaskResult.Failed

This means that the build step fails, instead of throwing error, even when warnOnCVSSViolation is set to true.

Workaround In the azure-pipeline.yaml, specify specific version to the previous version:

    dependencyCheckVersion: '7.4.4'
ejohn20 commented 1 year ago

I'm unable to reproduce this in my demo pipelines. I have merged this and released in v6.1.0. Please verify that the fix is working as expected.