azure-devops owasp插件找不到依赖项
azure-devops owasp插件找不到依赖项
提问于 2021-03-18 13:09:56
当我在本地运行mvn verify时,针对一个java项目。Owasp返回发现的漏洞列表。但是,当我使用owasp插件在azure管道中执行相同的测试时,它会返回0个漏洞。两个测试都扫描目录的顶层。
下面是 Owasp插件在蔚蓝开发中启用
设置:
Azure管道模板
# owasp-dependency-check.yml@templates
parameters:
- name: scanDir
default: $(System.DefaultWorkingDirectory)
type: string
steps:
- task: OWASPDependencyCheck@0
inputs:
outputDirectory: '$(Agent.TempDirectory)/dependency-scan-results'
scanDirectory: ${{ parameters.scanDir }}
outputFormat: 'HTML'
useSonarQubeIntegration: True
- task: PublishPipelineArtifact@1
inputs:
targetPath: '$(Agent.TempDirectory)'
artifact: 'dependency-scan-results'
publishLocation: 'pipeline'Azure管道
# azure-pipeline.yml
resources:
repositories:
- repository: templates
type: git
name: sandbox-reusable-tasks
stages:
- stage: Scan
displayName: Scan
jobs:
- job: Owasp
steps:
- template: owasp-dependency-check.yml@templates的笑话:
看来jar分析器没有运行。这是运行时的日志记录:
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (2 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (2 seconds)
Finishing: OWASPDependencyCheck回答 1
Stack Overflow用户
回答已采纳
发布于 2021-03-19 10:53:55
我已经安装了正式的Owasp插件。我用的是一个带有声纳整合的分支。此外,在运行检查之前,我还在同一个代理上构建了该项目。这确保要扫描的文件在代理上可用(在artifactPublish和artifactDeploy任务上遇到困难)。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/66691780
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号