dependency-check-gradle icon indicating copy to clipboard operation
dependency-check-gradle copied to clipboard

Published 20 hours ago verified publisher icon dependency-check

Dependency check not running in Azure Gradle plugin

Open lars06 opened this issue 1 year ago • 3 comments

Hi there. I have recently added this plugin to my project. When running ./gradlew dependencyCheckAnalyze locally, everything runs correctly. However, when running using the Azure Devops Gradle task, the command is changed and the pipeline runs build instead of dependencyCheckAnalyze, leading to no dependency check. Do you have any idea why this would happen?

Running v8.1.0, with plugin configuration:

dependencyCheck {
    suppressionFiles = file("owasp-dependency-suppression.xml")
    failBuildOnCVSS = 8.0
    outputDirectory = file("build/reports/dependency-check")
    cve {
        startYear = 2020
    }
}

and pipeline configuration:

task: Gradle@3
displayName: 'Run dependency check'
inputs:
    jdkVersionOption: $(jdkVersion)
    publishJUnitResults: false
    goals: 'dependencyCheckAnalyze'
    options: '-x test -x integrationTest'

which leads to the Azure pipeline running the following command: /agent/_work/2/s/gradlew -x test -x integrationTest build when it should be dependencyCheckAnalyze

lars06 avatar Feb 14 '23 14:02 lars06

not a clue - but you could add something like build.dependsOn dependencyCheckAnalyze.

jeremylong avatar Feb 15 '23 13:02 jeremylong

The problem is then every build will be run with dependency check, which is not ideal for pipeline speed. I tried to run ./gradlew dependencyCheckAnalyze on the pipeline with a bash task and it works properly, so there must be a compatibility problem with dependency-check-gradle and the Gradle task on Azure.

lars06 avatar Feb 15 '23 13:02 lars06

This wouldn't be a problem with the Dependency Check plugin but your pipeline configuration for Azure DevOps. It doesn't appear to have been properly configured to run the right task.

I've never used Azure DevOps, but from a quick glance at your snippet I would say this is likely your problem:

goals: 'dependencyCheckAnalyze'

Phases & Goals are Maven vernacular, Gradle calls them tasks. The Gradle@3 documentation you linked had an example that uses tasks as the key instead.

# Gradle v3
# Build using a Gradle wrapper script.
- task: Gradle@3
  inputs:
    gradleWrapperFile: 'gradlew' # string. Alias: wrapperScript. Required. Gradle wrapper. Default: gradlew.
    #workingDirectory: # string. Alias: cwd. Working directory. 
    #options: # string. Options. 
    tasks: 'build' # string. Required. Tasks. Default: build.

Sounds like you've set the wrong key-value pair and it's still defaulting to build rather than your expected dependencyCheckAnalyze.

ThomGeG avatar Oct 10 '23 04:10 ThomGeG