The extension is supposed to add a --suppression argument to the dependency check script, but this option doesn't work.
In the logs, I can't find anything about this option, but I guess it's being ignored. My dependency check report still shows my vulnerability as active, instead of being shown as suppressed.
The code checks that the provided path isn't the same as $(Build.SourcesDirectory) (evaluated as /home/vsts/work/1/s), and the path I provided gets evaluated as /home/vsts/work/1/s/owasp-dependency-check-suppressions.xml.
I think it should be fine. Is this correct?
I ended up using additionalArguments option as workaround. It worked with the following:
additionalArguments: --suppression $(System.DefaultWorkingDirectory)/owasp-dependency-check-suppressions.xml'
This is what the logs reported when I used the additionalArguments option:
Additional command line arguments: --suppression /home/vsts/work/1/s/owasp-dependency-check-suppressions.xml
This is how my XML suppression file looks like:
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<!-- This suppresses CVE-2020-8554 for KubernetesClient package.
Please see https://github.com/kubernetes/kubernetes/issues/97076 & https://nvd.nist.gov/vuln/detail/CVE-2020-8554
As per January 2022, the issue is not fixed yet. -->
<suppress>
<notes>
<![CDATA[
file name: KubernetesClient:6.0.25
]]>
</notes>
<packageUrl regex="true">^pkg:nuget/KubernetesClient@.*$</packageUrl>
<cve>CVE-2020-8554</cve>
<cpe>cpe:/a:kubernetes:kubernetes</cpe>
</suppress>
</suppressions>
Hi.
I'm using the Azure DevOps extension v0.2.10 in Azure DevOps Services. I tried to use the following in my YAML pipeline, running it in a hosted agent:
The extension is supposed to add a
--suppressionargument to the dependency check script, but this option doesn't work. In the logs, I can't find anything about this option, but I guess it's being ignored. My dependency check report still shows my vulnerability as active, instead of being shown as suppressed. The code checks that the provided path isn't the same as$(Build.SourcesDirectory)(evaluated as/home/vsts/work/1/s), and the path I provided gets evaluated as/home/vsts/work/1/s/owasp-dependency-check-suppressions.xml. I think it should be fine. Is this correct?I ended up using
additionalArgumentsoption as workaround. It worked with the following:additionalArguments: --suppression $(System.DefaultWorkingDirectory)/owasp-dependency-check-suppressions.xml'This is what the logs reported when I used the
additionalArgumentsoption:Additional command line arguments: --suppression /home/vsts/work/1/s/owasp-dependency-check-suppressions.xmlThis is how my XML suppression file looks like: