Closed pippolino closed 4 months ago
LucaBlackDragon
commented
6 months ago This would also allow to check scan results directly inside Azure DevOps with Microsoft's SARIF SAST Scans Tab extension, which expects results to be published inside an artifact named "CodeAnalysisLogs"
rknechtel
commented
4 months ago This would also allow to check scan results directly inside Azure DevOps with Microsoft's SARIF SAST Scans Tab extension, which expects results to be published inside an artifact named "CodeAnalysisLogs"
Actually it must have an Artifact name of: CodeAnalysisLogs OR The Artifact Name must Includes: _sdl_analysis or _sdl_sources
So allowing an artifact name input would be great then we could use an artifact name with one of the "includes" items without needing to use a 'PublishBuildArtifacts@1' task.
My workaround for now is below. Only thing is you get 2 build artifacts, 1) Dependency Check and owasp-sca_sdl_analysis, but at least the owasp-sca_sdl_analysis shows up in the scans tab.
# Run the OWASP SCA Dependency Checker
- task: dependency-check-build-task@6
displayName: 'OWASP SCA Dependency Checker'
inputs:
projectName: 'MyProject'
scanPath: '**/*.csproj'
format: 'SARIF'
reportsDirectory: 'OWASP-SCA-Dependency-Check'
reportFilename: 'owasp-sca-findings.sarif'
additionalArguments: --nvdApiKey $(NIST_NVD_API_KEY)
- task: PublishBuildArtifacts@1
displayName: 'Publish OWASP SCA Dependency Check Report'
inputs:
# Note(s):
# For the Azure DevOps Sarif Extension to pick up a .sarif file
# must have an Artifact name of:
# CodeAnalysisLogs
# OR
# Artifact Name must Includes:
# _sdl_analysis
# or
# _sdl_sources
PathtoPublish: '$(System.DefaultWorkingDirectory)/OWASP-SCA-Dependency-Check/owasp-sca-findings.sarif'
ArtifactName: 'owasp-sca_sdl_analysis'
publishLocation: 'Container'
Customize the name of artifact for permit multiple task execution on same pipeline #124