Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"suppressionPath" option doesn't work #98

Open
sicil1ano opened this issue Jan 31, 2022 · 0 comments
Open

"suppressionPath" option doesn't work #98

sicil1ano opened this issue Jan 31, 2022 · 0 comments

Comments

@sicil1ano
Copy link

sicil1ano commented Jan 31, 2022
edited
Loading

Hi.

I'm using the Azure DevOps extension v0.2.10 in Azure DevOps Services.
I tried to use the following in my YAML pipeline, running it in a hosted agent:

- task: OWASPDependencyCheck@0
   displayName: 'Run OWASP Dependency Check Scan'
  inputs:
    outputDirectory: '$(Agent.TempDirectory)/dependency-scan-results'
    outputFormat: 'ALL'
    scanDirectory: ${{ parameters.dependencyCheckScanDirectory }}
    useSonarQubeIntegration: ${{ parameters.enableSonarQubeIntegration }}
    suppressionPath: '$(System.DefaultWorkingDirectory)/owasp-dependency-check-suppressions.xml'

The extension is supposed to add a --suppression argument to the dependency check script, but this option doesn't work.
In the logs, I can't find anything about this option, but I guess it's being ignored. My dependency check report still shows my vulnerability as active, instead of being shown as suppressed.
The code checks that the provided path isn't the same as $(Build.SourcesDirectory) (evaluated as /home/vsts/work/1/s), and the path I provided gets evaluated as /home/vsts/work/1/s/owasp-dependency-check-suppressions.xml.
I think it should be fine. Is this correct?

I ended up using additionalArguments option as workaround. It worked with the following:
additionalArguments: --suppression $(System.DefaultWorkingDirectory)/owasp-dependency-check-suppressions.xml'

This is what the logs reported when I used the additionalArguments option:
Additional command line arguments: --suppression /home/vsts/work/1/s/owasp-dependency-check-suppressions.xml

This is how my XML suppression file looks like:

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
  <!-- This suppresses CVE-2020-8554 for KubernetesClient package.
     Please see https://github.com/kubernetes/kubernetes/issues/97076 & https://nvd.nist.gov/vuln/detail/CVE-2020-8554
     As per January 2022, the issue is not fixed yet. -->
  <suppress>
    <notes>
      <![CDATA[
      file name: KubernetesClient:6.0.25
      ]]>
    </notes>
    <packageUrl regex="true">^pkg:nuget/KubernetesClient@.*$</packageUrl>
    <cve>CVE-2020-8554</cve>
    <cpe>cpe:/a:kubernetes:kubernetes</cpe>
  </suppress>
</suppressions>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sicil1ano