search

microsoft / security-devops-azdevops

Microsoft Security DevOps extension for Azure DevOps.
MIT License
60 stars 16 forks source link

Bandit and BinSkim cause errors #15

Closed pim-simons closed 1 year ago

pim-simons commented 1 year ago

Both Bandit and BinSkim are listed here as available tools. However when I run extension with this config:

- task: MicrosoftSecurityDevOps@1
  displayName: 'Run Microsoft Defender for DevOps'
  inputs:
    tools: bandit

The run fails with:

[error]bandit is missing required argument: Target

[error]Error running bandit job: 1 of 1

[error]AnalyzerMissingRequiredArgumentsException: bandit is missing one or more required arguments.

Same for BinSkim, if I run it like this:

- task: MicrosoftSecurityDevOps@1
  displayName: 'Run Microsoft Defender for DevOps'
  inputs:
    tools: binskim

The run fails with:

[error]Error running binskim job: 1 of 1

[error]InvalidResponseFileContentsException: Cannot create a response file with zero arguments. Ensure that your arguments are correctly set up.

Also when I run the task without specifying a tool (in which case all tools should be executed), bandit and binskim are missing:

Applicable Tools:
Tool Name: credscan
Tool Version: 2.5.0.5
Tool Config File Path: D:\a\1\s\.gdn\c\credscan.gdntool

Tool Name: eslint
Tool Version: 7.32.0.2
Tool Config File Path: D:\a\1\s\.gdn\c\eslint.gdntool

Tool Name: templateanalyzer
Tool Version: 0.3.1
Tool Config File Path: D:\a\1\s\.gdn\c\templateanalyzer.gdntool

Tool Name: terrascan
Tool Version: 1.14.0.1
Tool Config File Path: D:\a\1\s\.gdn\c\terrascan.gdntool

Tool Name: trivy
Tool Version: 0.19.2.1
Tool Config File Path: D:\a\1\s\.gdn\c\trivy.gdntool

Are Bandit and BinSkim supported or not?

nb-atudose commented 1 year ago

I encounter a similar issue. I receive this error: ##[error]GuardianErrorExitCodeException: binskim completed with an Error exit code: 1. BinSkim failed. Verify the target(s) to be scanned. BinSkim targets must be a specific filename, or a pattern with a wildcard like *.dll, dir\*.dll, or dir\* How can I specify the binskim targets to the MicrosoftSecurityDevOps task?

nb-atudose commented 1 year ago

Found the solution in another GitHub issue. I added the .gdnconfig file with the content below to the project and it worked.

{
  "tools": [
    {
      "tool": {
        "name": "BinSkim",
        "version": "Latest"
      },
      "arguments": {
        "IgnorePdbLoadError": "true"
      }
    }
  ]
}

and in the pipeline file:

- task: MicrosoftSecurityDevOps@1
  displayName: 'Microsoft Security DevOps'
  inputs:
    config: 'gdnconfig/.gdnconfig'
    break: true
    tools: 'binskim'
flytzen commented 1 year ago

There is a similar issue when specifying template-analyzer as the tool: ##[error]ConfigurationPathNotFoundException: A configuration file could not be found for: template-analyzer-linux

It works if I don't specify any tools at all.

chrisnielsen-MS commented 1 year ago

These are supported tools, but they require some configuration to run. By default, the Bandit config tries to find .py files in your source but if it does not find them it will fail in this way. Binskim does the same, looking for .dll/.exe files. You can configure them to use another location either with a config file as described by @nb-atudose, or configure them in your pipeline yml as described in the wiki here: https://github.com/microsoft/security-devops-azdevops/wiki