dependency-check-gradle
dependency-check-gradle copied to clipboard
Dependency check not running in Azure Gradle plugin
Hi there. I have recently added this plugin to my project. When running ./gradlew dependencyCheckAnalyze
locally, everything runs correctly. However, when running using the Azure Devops Gradle task, the command is changed and the pipeline runs build
instead of dependencyCheckAnalyze
, leading to no dependency check. Do you have any idea why this would happen?
Running v8.1.0, with plugin configuration:
dependencyCheck {
suppressionFiles = file("owasp-dependency-suppression.xml")
failBuildOnCVSS = 8.0
outputDirectory = file("build/reports/dependency-check")
cve {
startYear = 2020
}
}
and pipeline configuration:
task: Gradle@3
displayName: 'Run dependency check'
inputs:
jdkVersionOption: $(jdkVersion)
publishJUnitResults: false
goals: 'dependencyCheckAnalyze'
options: '-x test -x integrationTest'
which leads to the Azure pipeline running the following command:
/agent/_work/2/s/gradlew -x test -x integrationTest build
when it should be dependencyCheckAnalyze
not a clue - but you could add something like build.dependsOn dependencyCheckAnalyze
.
The problem is then every build will be run with dependency check, which is not ideal for pipeline speed. I tried to run ./gradlew dependencyCheckAnalyze
on the pipeline with a bash task and it works properly, so there must be a compatibility problem with dependency-check-gradle and the Gradle task on Azure.
This wouldn't be a problem with the Dependency Check plugin but your pipeline configuration for Azure DevOps. It doesn't appear to have been properly configured to run the right task.
I've never used Azure DevOps, but from a quick glance at your snippet I would say this is likely your problem:
goals: 'dependencyCheckAnalyze'
Phases & Goals are Maven vernacular, Gradle calls them tasks. The Gradle@3 documentation you linked had an example that uses tasks
as the key instead.
# Gradle v3
# Build using a Gradle wrapper script.
- task: Gradle@3
inputs:
gradleWrapperFile: 'gradlew' # string. Alias: wrapperScript. Required. Gradle wrapper. Default: gradlew.
#workingDirectory: # string. Alias: cwd. Working directory.
#options: # string. Options.
tasks: 'build' # string. Required. Tasks. Default: build.
Sounds like you've set the wrong key-value pair and it's still defaulting to build
rather than your expected dependencyCheckAnalyze
.