search

dependency-check / azuredevops

Dependency Check Azure DevOps Extension
Apache License 2.0
45 stars 25 forks source link

OWASP checker does not analyze .Net Framework solution's NuGet dependencies #168

Open RIVM-Joris-Brandt opened 3 weeks ago

RIVM-Joris-Brandt commented 3 weeks ago

We currently have a .NET Framework project, version 4.7, hosted on Azure and built using Azure DevOps. Previously builds for this project were done in Jenkins, and included the OWASP dependency checker plugin. After migrating to ADevOps we integrated the OWASP plugin hoping to recreate the same pipeline as before. However the OWASP check on Azure DevOps appears to only analyze the solution's internal dependencies on our Class Libraries, it doesn't seem to check our NuGet packages, contrary to what the Jenkins plugin did. The result is the check always "No issues found", even if there are known vulnerabilities in the project, including ones the Jenkins plugin has picked up.

I've been looking around and, as far as I can tell, the configuration should be good:

- task: dependency-check-build-task@6
  displayName: OWASP Dependency Checker
  inputs:
    projectName: 'NanoSpray'
    scanPath: '**/*.csproj'
    format: 'HTML, JSON, JUNIT'
    uploadReports: true
    failOnCVSS: '8'
    enableVerbose: true
    enableRetired: true
    enableExperimental: true
    nvdApiKey: $(nvdAPI)

Although all other examples I can find online were using .NET Core projects, so perhaps this is part of the issue? We've tried several variations, including changing csproj locations, including packages.config files. Forcibly downgrading packages to force a the checker to pick something up.

We're using version 6.2.3 of Add-On. For the underlying OWASP Dependency Checker we've tried with both versions 10.0.3 and 8.3.1, the latter since it's the version we're running on Jenkins, which is working as intended.