TypeScript Extension Conversion

[ejohn20]

Convert the extension from PS ---> TypeScript to run on both Windows and Ubuntu build agents.

[alaincroisetiere]

Hello @ejohn20, Can you help me to complete this feature ? I converted the script has you can see in my fork. To get the VSIX working on Azure DevOps, I need to run the following script but I'm not sure how to integrate that in your CI/CD.

$env:BUILD_VERSION="6.0.0.0"
$env:BUILD_ENVIRONMENT="Dev"

Remove-Item -Path D:\code\alaincroisetiere\azuredevops\node_modules -Force -Recurse
Remove-Item -Path D:\code\alaincroisetiere\azuredevops\src\Tasks\dependency-check-build-task\node_modules -Force -Recurse

cd D:\code\alaincroisetiere\azuredevops\src\Tasks\dependency-check-build-task\
npm install
tsc
Remove-Item D:\code\alaincroisetiere\azuredevops\src\Tasks\dependency-check-build-task\node_modules\*\.github -Force -Recurse

cd D:\code\alaincroisetiere\azuredevops\
npm install

.\build\set-installer-version.ps1 
npm run package-dev

[ejohn20]

Amazing! I wasn't aware that anyone was going to pick this one up! :)

Can you email / DM me your Azure DevOps org name? I will share the "dev" version of the extension with you and make the above modifications to see if we can get this working in dev.

[alaincroisetiere]

This is the same as my github username, alaincroisetiere.

[ejohn20]

@alaincroisetiere The OWASP Dependency Check - DEV extension has been shared with you. I'm updating the build definition to include the commands you mentioned above.

[ejohn20]

The build pipeline handles the new TS version's build / release just fine. I bumped the new version to 6.* so folks relying on the PS version can opt in to the TS version rather than it being auto-installed.

Version 6.0.0.1 published in dev: https://marketplace.visualstudio.com/items?itemName=dependency-check.dependencycheck-dev.

Feel free to start testing, etc. and let me know if you need to make adjustments. It will probably be a few days before I have time to vet both agents and test the new fields, etc.

[alaincroisetiere]

The compiled dependency-check-build-task.js is missing into vsix. Is build.sh executed in the CI/CD ?

[ejohn20]

Thanks for the heads up. Missed these commands in the build pipeline:

cd .\src\Tasks\dependency-check-build-task\
npm install
npm run build
Remove-Item .\node_modules\*\.github -Force -Recurse

I have added them and a new version 6.0.0.3 published to the marketplace. Can you take a look and verify it's packaged correctly.

To make this easier going forward, I'm going to convert the Azure Pipeline to a YAML driven workflow so it's in this repo as well. Will take a few days to get around to it.

[ejohn20]

My first run with the dev extension didn't make it very far:

2021-02-17T14:16:57.0268914Z Starting Dependency Check...
2021-02-17T14:16:57.0319347Z Not found scanPath: D:\a\1\s\**\*.csproj
2021-02-17T14:16:57.0321424Z ##[error]Not found scanPath: D:\a\1\s\**\*.csproj
2021-02-17T14:16:57.0324662Z ##[error]Unhandled error condition detected.
2021-02-17T14:16:57.0327187Z Ending Dependency Check...
2021-02-17T14:16:57.0390476Z ##[section]Finishing: Dependency Check - DEV

Task configuration:

steps:
- task: dependency-check.dependencycheck-dev.dependency-check-build-task-dev.dependency-check-build-task-dev@6
  displayName: 'Dependency Check - DEV'
  inputs:
    projectName: WebGoat.NET
    scanPath: '**/*.csproj'
    format: 'HTML,JSON,JUNIT'
    failOnCVSS: 9

[alaincroisetiere]

The value D:\a\1\s\**\*.csproj is an invalid folder path.

[ejohn20]

I see, this validation might be too strict then. The --scan parameter for dependency check allows ANT style paths such as this to recursively find all files with a given extension all directories.

[alaincroisetiere]

The exemple in the official documentation is a file path. I will fix.

[ejohn20]

Just re-read the docs. Both the --scan and --exclude support ANT style paths, so this would affect both of those fields.

[ejohn20]

@alaincroisetiere Thanks for the bump. Did the new build successfully run for you on your side? I'll test it again shortly.

[alaincroisetiere]

Yes, build successfully run on my side but i didn't test the dataMirror parameter. Can you test it or provide an URL to me ?

[ejohn20]

Just ran a couple builds through on my side. One with the data mirror and one without, and confirmed the data mirror is loading the cached data files into the data directory. These were both on a Windows agent. I'm going to test a Linux agent quick and make sure that works OK.

Fields that I have not tested yet, which are mainly for on-premise installations:

• Local Install Path
• Custom Installer Repository URL

[alaincroisetiere]

I tested Local Install Path with an agent on my pc: succeed.

Also tested Custom Installer Repository URL with the GitHub release URL: succeed.

[ejohn20]

@alaincroisetiere Sorry for the delay. Testing on linux agents now, and will release in v6.0 if all goes well! :)

[ejohn20]

Merged. Tested the v6.* extension on windows and linux, worked great. Awesome work on this @alaincroisetiere