scanPath Bug - Quote Full Path

[ewilansky]

I have multiple csproj files under a src path for our solution, but need to be specific about which csproj files need to be dependency checked. I see that the dependency-check tool supports multiple scan paths so this works fine to scan both the csproj for proj.web and proj.service:

dependency-check --project Project01 --scan /code/proj01/src/proj.web/*.csproj --scan /code/proj01/src/proj.service/*.csproj --out ./TestResults/dependency-check --format HTML --failOnCVSS 8 --log ./TestResults/dependency-check/log

However, I can't specify scanPath twice in my pipeline:

    steps:
      - task: dependency-check-build-task@6
        displayName: "OWASP Dependency Check"
        inputs:
          projectName: 'Project01'
          scanPath: '**/proj.web/*.csproj'
          scanPath: '**/proj.service/*.csproj'
          ...

Azure pipeline returns: /azure-pipelines.yml (Line: 16, Col: 11): 'scanPath' is already defined

I want to run multiple scans to optimize dependency check time, rather than creating a task for each csproj.

[ejohn20]

The scanPath supports full ANT style paths, so you can use scanPath: **/*.csproj to pick them all up.

Or, use the additionalArguments parameter to pass in an additional --scan argument.

[ewilansky]

Yes, the glob pattern works using the dependency-check client where I can quote the ANT style path. For example, this works with single quotes: dependency-check --scan '/code/proj01/src/proj.*/**/*.csproj' or double quotes: dependency-check --scan "/code/proj01/src/proj.*/**/*.csproj" but this won't work where the glob pattern is unquoted: dependency-check --scan /code/proj01/src/proj.*/**/*.csproj

There is some discussion about this issue here https://github.com/jeremylong/DependencyCheck/issues/1812. I suppose this is an issue that would only appear using a Linux build agent.

I see that when I try to do the same using the extension: scanPath: '"**/proj.*/*.csproj"'

the build agent local path is appended to the ANT style path and the scan becomes this: --scan /home/vsts/work/1/s/"**/proj.*/*.csproj"

reversing the double and single quotes resulted in this: --scan "/home/vsts/work/1/s/'**/proj.*/*.csproj'"

Your suggestion for using additionalArguments worked fine. However, I have more than two projects I need to scan and scanning the entire set of csproj files is fast so using a glob pattern is definitely the way to go.

[ejohn20]

Thanks for reporting this. @alaincroisetiere it sounds like we need to quote the full scan path before passing the argument into the shell script.

Work around for now - can you pass two separate --scan arguments in the additionalArguments field?

[ewilansky]

That's a great idea and something I tried, but dependency-check fails with the same error (showed at the end of this comment) when I include any more than one project in additional arguments. I tried using the multi-scan parameter syntax that worked when passing directly to dependency-check: additionalArguments: '--scan "$(Build.SourcesDirectory)/**/proj01.service/*.csproj" --scan "$(Build.SourcesDirectory)/**/proj01.client/*.csproj"'

This variation with a single --scan parameter doesn't fail, but instead just ignores the additional --scan parameter: additionalArguments: '--scan "$(Build.SourcesDirectory)/**/proj01.service/*.csproj $(Build.SourcesDirectory)/**/proj01.client/*.csproj"'

I then hardcoding the path with just one argument in additionalArguments and that worked: additionalArguments: '--scan $(Build.SourcesDirectory)/src/proj01.service/proj01.service.csproj'

log showing the resulting command line for the task: /home/vsts/work/_tasks/dependency-check-build-task_{task_id}/6.0.2/dependency-check/bin/dependency-check.sh --project Proj01 --scan /home/vsts/work/1/s/src/proj01.web/proj01.web.csproj --out /home/vsts/work/1/TestResults/dependency-check --format HTML --failOnCVSS 8 --scan /home/vsts/work/1/s/src/proj01.service/proj01.service.csproj

but two arguments in additionalArguments does not work, as mentioned earlier. Here is the commandline from the log: /home/vsts/work/_tasks/dependency-check-build-task_{task_id}/6.0.2/dependency-check/bin/dependency-check.sh --project Radiance --scan /home/vsts/work/1/s/src/proj01.web/proj01.web.csproj --out /home/vsts/work/1/TestResults/dependency-check --format HTML --failOnCVSS 8 --scan /home/vsts/work/1/s/src/proj01.service/proj01.service.csproj --scan /home/vsts/work/1/s/src/proj01.client/proj01.client.csproj

error:

##[error]The process '/home/vsts/work/_tasks/dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72/6.0.2/dependency-check/bin/dependency-check.sh' failed with exit code 1
##[debug]Processed: ##vso[task.issue type=error;]The process '/home/vsts/work/_tasks/dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72/6.0.2/dependency-check/bin/dependency-check.sh' failed with exit code 1
##[debug]task result: Failed
##[error]Unhandled error condition detected.

[alaincroisetiere]

@ewilansky, i'm not able to reproduce the issue. Can you try with scanPath: '$(System.BuildSourcesDirectory)/**/proj.*/*.csproj' and send the complete log of the dependency-check-task@6 please.

[ewilansky]

Hi @alaincroisetiere, I've attached the full log. As you'll see on line 148, the scan path is not enclosed in quotes so the dependency check engine is failing to expand the glob path properly. I believe this is related to this issue I mentioned in my first reply to @ejohn20. owasp_dc_task.log

[alaincroisetiere]

Sorry @ewilansky, I given to you the wrong predefined variable. Retry with scanPath: '$(Build.SourcesDirectory)/**/proj.*/*.csproj' please.

[ewilansky]

No problem, @alaincroisetiere. I think the glob path you provided works. Thanks! However, I've run into another issue where the OWASP Dependency Check engine throws a NullPointerException when processing a project that matches the glob pattern:

2021-03-25T14:05:28.7756223Z [ERROR] 
2021-03-25T14:05:28.7756988Z java.lang.NullPointerException: null

This is unrelated to the scanPath issue and I'm working through the exception issue now. So, if you don't mind, can we leave this open just a bit longer until I've confirmed a successful run?

[ewilansky]

@alaincroisetiere, thanks for your patience. I have verified that the path you provided works perfectly to pick-up all of the projects in the solution. The java.lang.NullPointerException was caused by an outdated package in one of the project files. I'm not sure what library was outdated, but it was important to get them updated anyway. I'll close this and thanks again for your and @ejohn20's help!

[ejohn20]

Excellent! We should document this solution in the main extension docs. I'll follow up on that part.