Unable to create both HTML and XML reports in a single run

etnetera / owasp-dependency-check

MIT License

6 stars 13 forks source link

Unable to create both HTML and XML reports in a single run #4

Closed Muzietto closed 2 years ago

Muzietto commented 2 years ago

According to the documentation, the option --format can be specified multiple times in the command line.

I wish to have both HTML and XML reports, so I tried inside package.json the following task definition:

"test:dependency": "owasp-dependency-check --project \"MY_PROJECT\" --scan \"package-lock.json\" --out \"owasp\" --format HTML --format XML"

However, this command fails and the scan exits immediately with message Invalid 'out' argument: 'owasp' - path does not exist.

It must be noted that the output directory owasp is indeed present, and that whenever I specify only one output format (HTML or XML) this option never gives problems.

I suppose therefore that the presence of two --format options gives some unexpected trouble to the CLI string interpreter.

What is the correct command line for creating two reports (HTML and XML) in the output directory ?

centi commented 2 years ago

I'm afraid, that this one is on the CLI tool itself. And honestly, I'm quite confused by it. I tried your exact command, which failed as you mention and it used this command:

/my_path_to/dependency-check.sh --out=owasp --project ProjectTest --scan package-lock.json --format HTML --format XML --data=/tmp/dependency-check-data

When I remove one of the formats (XML) and use this command, it works fine:

/my_path_to/dependency-check.sh --out=owasp --project ProjectTest --scan package-lock.json --format HTML --data=/tmp/dependency-check-data

But now the confusing part. When I now use the first command again (the one with both formats), it works fine and both formats are generated as they should.

centi commented 2 years ago

Just to clarify, I used only the generated dependency-check.sh commands, to ensure, that my script is not causing this problem. The problem remains even if using the CLI tool itself, without my script.

Muzietto commented 2 years ago

I understand that there is no straightforward way to achieve the double reporting in one run. So the solution I have envisioned is to have two single-format tasks and run them one after the other.

The XML run stores results in owasp/xml directory. The HTML run stores results in owasp/html directory.

It is necessary to use separated subdirs, because each run would wipe out the owasp directory written by the other.

Thank you for the exhaustive answer. I wish all open source projects were so responsive :-)

Closing this issue.