search

dependency-check / azuredevops

Dependency Check Azure DevOps Extension
Apache License 2.0
47 stars 25 forks source link

Supression file not being honored #123

Closed emboss64 closed 1 year ago

emboss64 commented 1 year ago

I tried using a supressions.xml file that works when running the analysis with the CLI and it seems like it's not even being loaded.

This is the config being used for the analysis:

- task: PowerShell@2
  displayName: Set variable for dependency check common arguments
  inputs:
    targetType: inline
    pwsh: true
    script: |
      $DependencyCheckCommonArguments = @(
        '${{ parameters.DependencyCheckExtraArguments }}',
        '--disablePyDist',
        '--disablePyPkg',
        '--disableYarnAudit',
        '--disableRubygems',
        '--disableBundleAudit',
        '--disableCocoapodsAnalyzer',
        '--disableSwiftPackageManagerAnalyzer',
        '--disableSwiftPackageResolvedAnalyzer',
        '--disableCmake',
        '--disableArchive',
        '--disableJar',
        '--disableComposer',
        '--disableCpan',
        '--disableGolangDep',
        '--disableGolangMod',
        '--disableMixAudit',
        '--data $(TempFolder)',
        '--cveUrlModified ${{ parameters.NVD_MIRROR_URL }}/nvdcve-1.1-modified.json.gz',
        '--cveUrlBase ${{ parameters.NVD_MIRROR_URL }}/nvdcve-1.1-%d.json.gz',
        '--ossIndexUsername ${{ parameters.OssIndexUsername }}',
        '--ossIndexPassword ${{ parameters.OssIndexPassword }}',
        '--ossIndexRemoteErrorWarnOnly true',
        '--suppression "${{ parameters.SupressionsFilePath }}"'
      )
      $DependencyCheckCommonArgumentsLine = $DependencyCheckCommonArguments -join " "
      Write-Host "##vso[task.setvariable variable=DependencyCheckCommonArguments]$DependencyCheckCommonArgumentsLine"

- task: dependency-check-build-task@6
  displayName: 'OWASP Dependency Check [${{ parameters.Type }}]'
  inputs:
    dependencyCheckVersion: 7.4.4
    projectName: '$(Build.Repository.Name)'
    format: '${{ parameters.ReportFormat }}'
    enableExperimental: true
    failOnCVSS: '${{ parameters.CVE_THRESHOLD }}'
    ${{ if eq(parameters.FailWhenFoundVulnerabilities,false) }}:    
      warnOnCVSSViolation: true
    ${{ if eq(parameters.Type,'net') }}:
      scanPath: '${{ parameters.BasePath }}/**/*.csproj'
      additionalArguments: >
        --exclude "${{ parameters.ExcludePath }}""
        --scan "${{ parameters.BasePath }}/**/packages.config"
        --scan "${{ parameters.BasePath }}/**/*.nuspec"
        --disableNodeJS
        --disablePnpmAudit
        --disableNodeAudit
        --disableNodeAuditCache
        $(DependencyCheckCommonArguments)

And the xml file generated directly from the HTML report:

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <suppress until="2023-01-01">
    <notes><![CDATA[
    file name: System.Data.SqlClient:4.8.2
    ]]></notes>
    <sha1>fcbe835fc55d45f74850de520beafaff8b3901cc</sha1>
    <vulnerabilityName>CVE-2022-41064</vulnerabilityName>
    </suppress>
   <suppress>
      <notes><![CDATA[
      file name: System.Data.SqlClient:4.8.3
      ]]></notes>
      <sha1>73ee127c6e8359a3dd1162f58af66f8a543da4c7</sha1>
      <vulnerabilityName>CVE-2022-41064</vulnerabilityName>
   </suppress>    
</suppressions>

Not even the usual messaged around the suppression expiration is shown in the job output.

emboss64 commented 1 year ago

Was able to fix it, apparently --data $(TempFolder) was the culprit