DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

Use exit codes between 0 and 255 (inclusive)

Open candrews opened this issue 2 years ago • 4 comments

Fixes Issue

Shells express exit codes in the range of 0-255. Anything outside of that range is brought into that range by modding it 256.

For example: -1 becomes 255 -2 becomes 254 -3 becomes 253

This need to convert exit codes in shell scripts to use dependency check is unexpected and confusing.

For that reason, returning exit codes outside of 0-255 is unusual and generally discouraged.

See: https://tldp.org/LDP/abs/html/exit-status.html

Description of Change

Therefore, use exit codes in the 0-255 range by changing all negative exit codes to positive ones (ex, -1 becomes 1).

With this change, exit code 1 was used for both help and CVSS score failure. Therefore, the CVSS score failure exit code was changed to 15.

Have test cases been added to cover the new functionality?

no

candrews avatar May 18 '22 15:05 candrews

The only handling of return code in a script in my view would be a check for success or failure, which would mean comparison of the exit code to 0 (SUCCESS) and potentially a print of the non-zero exit code received for diagnostic purposes. That check would be transparent to the exit codes used.

https://unix.stackexchange.com/questions/418784/what-is-the-min-and-max-values-of-exit-codes-in-linux shows that what exit code ranges are available depend on the shell

Valid exit codes available to POSIX compliant systems is the full range of int as per https://pubs.opengroup.org/onlinepubs/9699919799/functions/_exit.html / https://pubs.opengroup.org/onlinepubs/9699919799/functions/exit.html (with typically the least significant byte being made available to shell scripts)

aikebah avatar May 18 '22 19:05 aikebah

The only handling of return code in a script in my view would be a check for success or failure

My use case is that I want to differentiate between 3 exit reasons when using the --failOnCVSS argument:

  1. Dependency check ran and found no vulnerabilities
  2. Dependency check ran and found vulnerability
  3. Dependency checked failed to run for some reason

With this MR, I'd check for exit codes 0, 11, and anything else, respectively.

https://unix.stackexchange.com/questions/418784/what-is-the-min-and-max-values-of-exit-codes-in-linux shows that what exit code ranges are available depend on the shell

Agreed. Most users use bash, dash, or busybox sh - and all of those truncate to 0-255. And that furthers my point that using exit codes outside of the 0-255 range results in unexpected behavior which is why its generally recommended to stick to that range.

with typically the least significant byte being made available to shell scripts

"Typically" indicates inconsistent behavior, which is generally a good idea to avoid.

candrews avatar May 18 '22 19:05 candrews

@jeremylong what do you think. Looks reasonable to me, but think we should postpone integrating for an 8.x release as it will break existing returncode handling in scripted runs.

aikebah avatar May 18 '22 21:05 aikebah

I agree with the PR - but it would be a breaking change. This will get merged, but we might have a release or two happen before we move to 8.0.0.

jeremylong avatar May 25 '22 09:05 jeremylong