DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

feature request: add a markdown summary

Open efenderbosch-atg opened this issue 2 years ago • 3 comments

Generate a summary markdown file that can be included in build results instead of the entire result document.

As a workaround, this can be done w/ some utilities, but would be nice to have as a built in feature.

pandoc build/reports/dependency-check-jenkins.html -f html -t gfm | \
  sed -n '/## Summary/,/## Dependencies/p' | \
  grep -v '## Dependencies' >> $GITHUB_STEP_SUMMARY

efenderbosch-atg avatar Jul 12 '23 15:07 efenderbosch-atg

A cleaner work-around (or even solution for your use case?) might be to use your own custom report template (a somewhat hidden, but available feature which, since version 7.4.4, PR #5197, can be used in addition to standard built-in report formats)

You can feed your own template by providing the full path to a velocity template (must be a path to a file that can be given to java.io.File#File(java.lang.String) constructor yielding true for java.io.File#isFile()) or the name of a custom template that you provide on the classpath. It allows for exactly the amount of detail that you would like to have as a github-flavored-markdown formatted report.

https://github.com/jeremylong/DependencyCheck/blob/6d1d84b4fd423754dde772914b3a55557a116623/core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java#L299-L308

https://github.com/jeremylong/DependencyCheck/blob/6d1d84b4fd423754dde772914b3a55557a116623/core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java#L436-L446

aikebah avatar Jul 12 '23 16:07 aikebah

example VSL file:

#**
 See VSL templates in https://github.com/jeremylong/DependencyCheck/tree/main/core/src/main/resources/templates for information about available values
 *###
#set($double_hash = '##')
#set($triple_hash = '###')
# Dependency-Check Report

[How to read the report](https://jeremylong.github.io/DependencyCheck/general/thereport.html) | [Suppressing false positives](https://jeremylong.github.io/DependencyCheck/general/suppression.html)

$double_hash Project: $applicationName

* application: $applicationName
#if($applicationVersion)
* application version: $applicationVersion
#end
* NVD API Last Checked: ${properties.getMetaData().get("NVD API Last Checked")}
* NVD API Last Modified: ${properties.getMetaData().get("NVD API Last Modified")}
* scan date: $scanDateXML
* DependencyCheck version: $version
#if($groupID)
* groupID: $groupID
#end
#if($artifactID)
* artifactID: $artifactID
#end

$double_hash Vulnerabilities

#set($vulnerableDependencies = []) 
#foreach($dependency in $dependencies)
    #if($dependency.getVulnerabilities().size()>0)
        #set($ignore = $vulnerableDependencies.add($dependency))
    #end
#end
#if($artifactID)
There are $vulnerableDependencies.size() vulnerable dependencies for *$artifactID*
#else
There are $vulnerableDependencies.size() vulnerable dependencies for *$applicationName*
#end
#foreach($dependency in $vulnerableDependencies)

$triple_hash $dependency.DisplayFileName

    #set($depDesc = $dependency.description)
    #if($depDesc && $depDesc.length() > 0)
$depDesc.replaceAll("\n", " ").replaceAll("\s+", " ").trim()

    #end
    #foreach($vuln in $dependency.getVulnerabilities(true))
        #if($vuln.description.length() < 80)
* [$vuln.name](https://nvd.nist.gov/vuln/detail/$vuln.name): $vuln.description
        #else
* [$vuln.name](https://nvd.nist.gov/vuln/detail/$vuln.name): $vuln.description.substring(0,80)…
        #end
    * $vuln.getCwes().toString()
        #if($vuln.cvssV3)
    * CVSSv3 base severity / score: $vuln.cvssV3.cvssData.baseSeverity / $vuln.cvssV3.cvssData.baseScore
        #else
            #if($vuln.cvssV2)
    * CVSSv2 base severity / score: $vuln.cvssV2.cvssData.baseSeverity / $vuln.cvssV2.cvssData.baseScore
            #end
        #end
    #end
#end

Please check the attached HTML report to see full descriptions.
Vulnerabilities might be reoccurring if they where suppressed (in the suppression-xml file) using an `until` date.

Now store this in a file, e.g. DependencyCheck-report.md.vsland specify this file as a format when running DependencyCheck, e.g. in build.gradle.kts:

dependencyCheck {
    outputDirectory = "${project.layout.buildDirectory.dir("reports").get()}"
    formats = listOf(ReportGenerator.Format.HTML.toString(), project.layout.projectDirectory.dir("DependencyCheck-report.md.vsl").toString())
}

This will create the markdown report reports/DependencyCheck-report.md

Thanks goes as well to @dhs3000!

efasel avatar May 06 '24 14:05 efasel

(FTR, we can use the above markdown template with the Dependency-Check GitHub Action (--format <path to vsl>) to add the generated markdown as summary to the job run)

dhs3000 avatar May 07 '24 09:05 dhs3000