Dependencycheck: Docker image scans on go project fails
When running dependency check from the official docker image (latest - 5.3.0) with experimental features enabled on a go project, the process ends with the following error:
[ERROR] Exception from go process: java.io.IOException: Cannot run program "go" (in directory "/tmp/dctempb83f7667-f569-4dd5-8433-8e7a37a2cba5"): error=2, No such file or directory. Disabling Golang Mod Analyzer
ERROR: Job failed: exit code 242
FATAL: exit code 242
The command used for running the scan is:
/usr/share/dependency-check/bin/dependency-check.sh --enableExperimental --scan=./ --out=./report --data=./owasp
Cool thing is, when running it with the CLI on a Mac (same dependency-check version -5.3.0), the analysis is successful, narrowing the problem to the docker image build.
Version of dependency-check used
The problem occurs using version 5.3.0 of the docker image
Log file
[ERROR] Exception from go process: java.io.IOException: Cannot run program "go" (in directory "/tmp/dctempb83f7667-f569-4dd5-8433-8e7a37a2cba5"): error=2, No such file or directory. Disabling Golang Mod Analyzer
ERROR: Job failed: exit code 242
FATAL: exit code 242
To Reproduce
Run a scanner on a go project with the docker image.
Expected behavior
Runs
Additional context
Now, the problem seems to be that the docker image does not have go installed. Fixing it seems as simple as adding golang-go package to the installation process:
FROM openjdk:8-jre-slim
MAINTAINER Timo Pagel <[email protected]>
ENV user=dependencycheck
ENV version_url=https://jeremylong.github.io/DependencyCheck/current.txt
ENV download_url=https://dl.bintray.com/jeremy-long/owasp
RUN apt-get update && \
apt-get install -y --no-install-recommends wget ruby mono-runtime unzip golang-go && \
gem install bundle-audit && \
gem cleanup
RUN wget -O /tmp/current.txt ${version_url} && \
version=$(cat /tmp/current.txt) && \
file="dependency-check-${version}-release.zip" && \
wget "$download_url/$file" && \
unzip ${file} && \
rm ${file} && \
mv dependency-check /usr/share/ && \
useradd -ms /bin/bash ${user} && \
chown -R ${user}:${user} /usr/share/dependency-check && \
mkdir /report && \
chown -R ${user}:${user} /report && \
apt-get remove --purge -y wget && \
apt-get autoremove -y && \
rm -rf /var/lib/apt/lists/* /tmp/*
USER ${user}
VOLUME ["/src" "/usr/share/dependency-check/data" "/report"]
WORKDIR /src
CMD ["--help"]
ENTRYPOINT ["/usr/share/dependency-check/bin/dependency-check.sh"]
_I had errors with unzip too and had to add it as well..._
agisbert
All 4 comments
Apparently go was not installed on the docker image...
jeremylong
on 1 Mar 2020
I've seen pretty much changes from what its supposed to be in dockerhub ->
https://hub.docker.com/r/owasp/dependency-check/dockerfile
And master ->
https://github.com/jeremylong/DependencyCheck/blob/master/cli/Dockerfile
I would propose a PR if you tell me against what submit it... pretty confused rn...
Regards
agisbert
on 9 Mar 2020
@jeremylong We have the same issue in the team. We are not able to finish our jenkins pipeline because of the unfinished dependency-checkstage. When go CLI is going to be incorporated on the docker image?
KamilKrysztofiak
on 12 May 2020
This will be included in the next release. However, there are several items still in development before we can push the next release.
jeremylong
on 12 May 2020
Related issues
mikehalmamoj
路
4Comments
THausherr
路
3Comments
fabio-boldrini
路
4Comments
dwvisser
路
4Comments
javixeneize
路
4Comments
Most helpful comment
This will be included in the next release. However, there are several items still in development before we can push the next release.