Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency check not running in Azure Gradle plugin #325

Open
lars06 opened this issue Feb 14, 2023 · 3 comments
Open

Dependency check not running in Azure Gradle plugin #325

lars06 opened this issue Feb 14, 2023 · 3 comments

Comments

@lars06
Copy link

lars06 commented Feb 14, 2023
edited

Hi there. I have recently added this plugin to my project. When running ./gradlew dependencyCheckAnalyze locally, everything runs correctly. However, when running using the Azure Devops Gradle task, the command is changed and the pipeline runs build instead of dependencyCheckAnalyze, leading to no dependency check. Do you have any idea why this would happen?

Running v8.1.0, with plugin configuration:

dependencyCheck {
    suppressionFiles = file("owasp-dependency-suppression.xml")
    failBuildOnCVSS = 8.0
    outputDirectory = file("build/reports/dependency-check")
    cve {
        startYear = 2020
    }
}

and pipeline configuration:

task: Gradle@3
displayName: 'Run dependency check'
inputs:
    jdkVersionOption: $(jdkVersion)
    publishJUnitResults: false
    goals: 'dependencyCheckAnalyze'
    options: '-x test -x integrationTest'

which leads to the Azure pipeline running the following command:
/agent/_work/2/s/gradlew -x test -x integrationTest build when it should be dependencyCheckAnalyze
@jeremylong
Copy link
Collaborator

not a clue - but you could add something like build.dependsOn dependencyCheckAnalyze.

@lars06
Copy link
Author

lars06 commented Feb 15, 2023

The problem is then every build will be run with dependency check, which is not ideal for pipeline speed. I tried to run ./gradlew dependencyCheckAnalyze on the pipeline with a bash task and it works properly, so there must be a compatibility problem with dependency-check-gradle and the Gradle task on Azure.

@ThomGeG
Copy link

ThomGeG commented Oct 10, 2023

This wouldn't be a problem with the Dependency Check plugin but your pipeline configuration for Azure DevOps. It doesn't appear to have been properly configured to run the right task.

I've never used Azure DevOps, but from a quick glance at your snippet I would say this is likely your problem:

goals: 'dependencyCheckAnalyze'

Phases & Goals are Maven vernacular, Gradle calls them tasks. The Gradle@3 documentation you linked had an example that uses tasks as the key instead.

# Gradle v3
# Build using a Gradle wrapper script.
- task: Gradle@3
  inputs:
    gradleWrapperFile: 'gradlew' # string. Alias: wrapperScript. Required. Gradle wrapper. Default: gradlew.
    #workingDirectory: # string. Alias: cwd. Working directory. 
    #options: # string. Options. 
    tasks: 'build' # string. Required. Tasks. Default: build.

Sounds like you've set the wrong key-value pair and it's still defaulting to build rather than your expected dependencyCheckAnalyze.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jeremylong @lars06 @ThomGeG