search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.44k stars 1.28k forks source link

Does it support Google Cloud Build? #5763

Closed liuhe-trec closed 1 year ago

liuhe-trec commented 1 year ago

Hi, I want to integrate it into my CI pipeline by Google Cloud Build

steps:
  - name: 'owasp/dependency-check'
    args: [ "-s", "/workspace",
            "-f", "ALL",
            "-o", "/workspace/",
            "-l", "/workspace/dependency-check.log"]

error like this

[INFO] Analysis Started
[INFO] Finished Archive Analyzer (0 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (6 seconds)
[INFO] Finished CPE Analyzer (7 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[WARN] Unable to determine Package-URL identifiers for 2 dependencies
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Known Exploited Vulnerability Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Finished Unused Suppression Rule Analyzer (0 seconds)
[INFO] Analysis Complete (9 seconds)
[INFO] Writing report to: /workspace/dependency-check-report.xml
[ERROR] Error generating the report for

so i dont know why, and how to do next? please help me!

aikebah commented 1 year ago

DependencyCheck does not "support" any CI/build environment, it would be the other way around... the CI/build environment supporting running dependencycheck as part of the build.

That said....

it should be perfectly feasible and supported in Google Cloud builds to run it and is especially not expected to fail at the report writing phase (unless you misconfigure output locations).

Try to find the actual error it encounters... because your quoted log ends with 'error generating report for' which is not helpful to dig down why it fails.

Best place to start would be the debug-logs inside /workspace/dependency-check.log that should've been created in your cloud build workspace as you supplied the -l argument to have debug-log created in that logfile.

Note: I've never worked with google cloud builds, so can't help you on how to obtain and/or save contents from your workspace for further inspection.

If /workspace/dependency-check.log cannot be found than the likely root cause would be that google cloud builds require you to produce output somewhere else than in the workspace/ folder.

liuhe-trec commented 1 year ago

thank you @aikebah

It was my fault. The owasp/dependency-check image couldn't be directly used in Google Cloud Build. So, I created a new image, and now it works. It is able to generate the reports.