Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What is required to get this to work? #30

Open
efenderbosch-atg opened this issue May 23, 2024 · 1 comment
Open

What is required to get this to work? #30

efenderbosch-atg opened this issue May 23, 2024 · 1 comment

Comments

@efenderbosch-atg
Copy link 

  owasp_dependency_check:
    needs: compile
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Java
        uses: actions/setup-java@v4
        with:
          distribution: temurin
          java-version: 21

      - name: Restore Gradle Cache
        uses: actions/cache/restore@v4
        with:
          path: |
            ~/.gradle/caches
            ~/.gradle/wrapper
          key: gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}-${{ github.run_id }}-${{ github.run_number }}

      - name: OWASP dependency check
        id: owasp-dependency-check
        uses: dependency-check/Dependency-Check_Action@main
        env:
          # actions/setup-java changes JAVA_HOME, so it needs to be reset to match the depcheck image
          JAVA_HOME: /opt/jdk
        with:
          project: my-project-name
          format: HTML
          args: |
            --failOnCVSS 8
            --suppression config/owasp-dependency-check-suppression.xml
        timeout-minutes: 10

      - name: Archive OWASP Dependency Check Report
        if: ${{ !cancelled() }}
        uses: actions/upload-artifact@v4
        with:
          name: owasp-dependency-check-reports
          path: reports/dependency-check-report.html

The report is empty. The only dependency it scans is /github/workspace/gradle/wrapper/gradle-wrapper.jar. Does it have to happen in the same job as my gradle compile step? I like breaking out separate jobs so that they can be run in parallel.
@finnlander
Copy link

Hi,

I was experiencing similar behavior and got it solved by adding a step that handles downloading the dependencies that should be scanned. i.e. something like this:

      - name: Preparation for OWASP Dependency check
        run: "./gradlew build -x test"
        working-directory: ${{ github.workspace }}

Perhaps it helps in your case as well 🙂 .

If I recall it correctly, the provided examples are with maven, but it shows there too that the action requires some pre-step that triggers downloading the dependencies before executing it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@finnlander @efenderbosch-atg