DependencyCheck
DependencyCheck copied to clipboard
jeremylong
Cannot run dependency check on MacOS if dotnet 7 is installed
Describe the bug On MacOS X 13.1 (Ventura), when dotnet 7.0.100 is installed with homebrew, the dependency check analyze task called through Gradle fails.
Version of dependency-check used The problem occurs using version 7.4.3 of the gradle plugin and dotnet 7.0.100.
Log file https://gist.github.com/robertwenner/3c7afefdd85789164d6fa5b106d64068
To Reproduce Steps to reproduce the behavior:
- Create a new minimal project:
mkdir mcve
cd mcve
gradle init --type kotlin-application --dsl kotlin # accept defaults for everything else
- Install dotnet from homebrew and add
/usr/local/bin/to the$PATH:
brew install dotnet # for latest version
export PATH="$PATH:/usr/local/bin"
- Add Dependency Check to the project's dependencies block in
app/build.gradle.kts:
id("org.owasp.dependencycheck") version "7.4.3"
- Run
./gradlew --stacktrace depCheckAna
Expected behavior
Dependency Check should analyze the project without errors.
Additional context
The problem is first that there is no clear error message, making this hard to troubleshoot.
Then I don't understand why a .NET analyzer breaks my setup when I don't even use any .NET stuff.
Uninstalling dotnet (brew remove dotnet) is a workaround, but probably not helpful if you actually have .NET projects. Downgrading to dotnet 6 may be a slightly better workaround; it works as expected with dotnet 6:
brew install dotnet@6
export PATH="$PATH:/usr/local/opt/dotnet@6/bin"
./gradlew depCheckAna
Best workaround is probably to configure assemblyEnabled = false.
Looking at https://github.com/jeremylong/DependencyCheck/blob/13e56acb4e81980e17ff374964d47630d07a57da/core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java#L367 I am wondering if the check is correct: it seems odd expect an exit code of 1 for success, instead of 0 as in the Unix world. The Process.exitCode Javadoc also assumes 0 means success.
Seems like the code in https://github.com/jeremylong/DependencyCheck/blob/13e56acb4e81980e17ff374964d47630d07a57da/core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java#L468 tries to run dotnet --info which does exit with 0 (in both 6 and 7) when I run it on the shell. But I don't know if this is the same on Windows, which is probably a more likely environment for .NET development.
I saw that the required dotnet version is 6, but from what I remember it looked like a testing / development dependency only. I also was hoping this was the minimum requirement, not an exact requirement. Guess I was mistaken. Either way a better error message would be appreciated.
Then I don't understand why a .NET analyzer breaks my setup when I don't even use any .NET stuff.
You likely depend on a jar-file with an embedded native code dll.
Regarding the errors: you're not telling what error message you do see, but I do recall that gradle typically swallows/hides important output for debugging issues when you don't run it in the 'raw console' mode.
To get a scan on anything but the embedded native dlls you could update the plugin's analyzers configuration to switch off the assembly analyzer
And regarding the dotnet version: yes assembly analyzer it really needs version 6 of the runtime installed (it should support running with 6 and 7 installed in parallel, but only 7 I expect to fail. Don't recall the exact details, but it's somehow hard-wired to a specific dotnet major version via GrokAssembly.dll)
https://jeremylong.github.io/DependencyCheck/analyzers/assembly-analyzer.html
Have you considered installing the dotnet 6 runtime as well as dotnet 7?
Now that .net 8 is the new LTS - would you update the grok thingie to support that ?
Likely need to. Only issue is that I'm fairly tied up with non-OSS work atm. We accept PRs: https://github.com/jeremylong/GrokAssembly
It'll likely look a lot like this PR
See https://github.com/jeremylong/DependencyCheck/pull/6580
We will be releasing an updated version that will require dotnet 8.