Dependencycheck: Dependency Check not reporting vulnerabilities in GitLab CI

Created on 7 Jan 2021 · 6Comments · Source: jeremylong/DependencyCheck

Hi,

I have implemented the dependency check in GitLab CI but when it runs, the report comes back clean. I have tried with a vulnerable python application with the experimental check, and with a vulnerable Dotnet project but none of them are reporting vulnerabilities.

dependencyCheck:
stage: security-gate
image:
name: owasp/dependency-check
entrypoint: [""]
before_script:
- mkdir data
- mkdir dependency-check

script:
- /usr/share/dependency-check/bin/dependency-check.sh
--project ...
-format=ALL
--proxyserver="${PROXY_HOST}"
--proxyport="${PROXY_PORT}"
--scan=$CI_PROJECT_DIR/dependency-check
--out=$CI_PROJECT_DIR/dependency-check
--data=$CI_PROJECT_DIR/data
--disableNodeJS -s . -o .
artifacts:
paths:
- "dependency-check/dependency-check-*"

Expected behavior
DependencyCheck finding vulnerable dependencies.

Log output:

Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

[INFO] Analysis Started
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (3 seconds)
[INFO] Finished CPE Analyzer (4 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (4 seconds)
[INFO] Writing report to: /builds/usr/astpoc/dependency-check/dependency-check-report.xml
[INFO] Writing report to: /builds/usr/astpoc/dependency-check/dependency-check-report.html
[INFO] Writing report to: /builds/usr/astpoc/dependency-check/dependency-check-report.json
[INFO] Writing report to: /builds/usr/astpoc/dependency-check/dependency-check-report.csv
[INFO] Writing report to: /builds/usr/astpoc/dependency-check/dependency-check-junit.xml

Report output:

Project: ...
Scan Information (show all):
dependency-check version: 6.0.5
Report Generated On: Wed, 13 Jan 2021 22:13:53 GMT
Dependencies Scanned: 0 (0 unique)
Vulnerable Dependencies: 0
Vulnerabilities Found: 0
Vulnerabilities Suppressed: 0

question

Source

tersam95

All 6 comments

Your report is missing key information for debugging and/or analysis. Please use the issue template provided.

mprins on 8 Jan 2021

Consider running dotnet publish before scanning?

jeremylong on 8 Jan 2021

Your report is missing key information for debugging and/or analysis. Please use the issue template provided.

Consider running dotnet publish before scanning?

Hi @jeremylong ,
I thought it only scanned through the repository files and detect vulnerable versions, do I have to run the project?

I'm totally new at using the dependency check.
Thanks

tersam95 on 14 Jan 2021

Your report is missing key information for debugging and/or analysis. Please use the issue template provided.

Thanks for the input, @mprins I have added log information and the actual report output.

tersam95 on 14 Jan 2021

@tersam95 Looking at this as someone who uses Dependency Check for a lot of projects on GitLab, I see a few potential issues.

You've specified some CLI arguments twice (--scan and -s, --out and -o), and I'm not sure how Dependency Check treats the duplication.
To scan the full project, you'll want to scan either $CI_PROJECT_DIR or . (which are equivalent, GitLab starts the job with the working directory set to the project root).
As noted above, you probably do want to build/publish the project before scanning (either in that job, or in a previous stage and save the artifacts). In my experience the scan typically finds nuget dependencies from the project files (or other artifact manager manifests if they're used) without it, but this ensures anything else brought in with the build is scanned (like .NET core libraries).
You'll want to set artifacts: when: always or artifacts will not be saved if the job fails (if vulnerabilities are found)

If you want to see a working example, the job template I use is at https://gitlab.com/gitlab-ci-utils/gitlab-ci-templates/-/blob/master/jobs/OWASP-Dependency-Check.gitlab-ci.yml. You'll see it references a different image name, but that image is just owasp/dependency-check with come common suppression files added and is rebuilt daily with a pre-populated database to reduce execution time.