search

dependency-check / azuredevops

Dependency Check Azure DevOps Extension
Apache License 2.0
44 stars 26 forks source link

Question - Is it possible to pull the processed NVD CVE files? #122

Closed Cosmin-Apopei closed 1 year ago

Cosmin-Apopei commented 1 year ago

Hello, I was looking into ways of speeding up the amount of time the dependency check scan took when ran in a Azure Pipeline using the "OWASP Dependency Check" task.

Reading the logs, it seems that a lot of the time is going into downloading and processing the CVE files:


[INFO] Processing Complete for NVD CVE - 2016  (18858 ms)
[INFO] Processing Started for NVD CVE - 2018
[INFO] Processing Complete for NVD CVE - 2017  (14071 ms)
[INFO] Processing Started for NVD CVE - 2019
[INFO] Processing Complete for NVD CVE - 2018  (12425 ms)
[INFO] Processing Started for NVD CVE - 2020
[INFO] Processing Complete for NVD CVE - 2019  (9792 ms)
[INFO] Processing Started for NVD CVE - 2021
[INFO] Processing Complete for NVD CVE - 2020  (10823 ms)
[INFO] Processing Started for NVD CVE - 2022
[INFO] Processing Complete for NVD CVE - 2021  (11030 ms)
[INFO] Processing Started for NVD CVE - 2023
[INFO] Processing Complete for NVD CVE - 2023  (193 ms)
[INFO] Processing Complete for NVD CVE - 2022  (10686 ms)

My questions are:

  1. What does the program do when it says its "Processing" a NVD CVE - file?
  2. Does the processing on the CVE file output a file to be used?
  3. Can I tell the scan to use a previously processed version of the NVD CVE files?

Thank you in advance.

HaGGi13 commented 1 year ago

Hi @Cosmin-Apopei,

Regards 1.: This happens in the OWASP Dependency Check itself that is wrapped in this Azure DevOps extension.
Here's the code.

It seems to download the definition files and imports them. Indeed, there happens much more under the hood, therefore the aforementioned code reference.

Regards 2.: Please see Regards 1.

Regards 3.: To reduce the execution time, you can cache all downloaded data. Please check this #110. But, this works in Azure Pipelines only, it won't work for Azure DevOps Server <= 2019 (on-prem), because the Cache-task is not compatible/exists for this version. Regards Azure DevOps Server 2022 I cannot say.

jeremylong commented 1 year ago

I have no idea how the azure pipeline task is setup or used as the project is maintained by a different team.

In general - there is a data directory that should be cached. If you run the dependency-check update at least once evey 7 days only a very small XML file is downloaded and processed.

Cosmin-Apopei commented 1 year ago

Thank you both for your answers. Adding caching to my pipeline has reduced its time significantly.