dependency-check/azuredevops

Add cache method in documentation

LvffY opened this issue · 2 comments

LvffY commented

Hello

I think that most people want to reduce the runtime of their pipelines.

Because of that, I recently needed to search for a way to cache dependency-check CVE data (because it was most of the time of the dependency-check analysis, even for large repositories with many dependencies.)

I think that we need to add an "official" method on how to cache dependency-check data. For example, in my case, my dependency-check analysis passed from 2m19s of execution to 13s ... Which can be greatly appreciated for most users !

My solution

Here is the solution I found (I don't necessarily say that is the best way, just my way, can take advices here :)) :

          - task: Bash@3
            displayName: 'Look for dependency-check data directory'
            inputs:
              targetType: 'inline'
              script: |
                # Find for dependency-check root directory
                dc_directory=$(find $AGENT_WORKFOLDER/_tasks -type d -name dependency-check)
                echo "##vso[task.setvariable variable=DEPENDENCY_CHECK_DATA]${dc_directory}/data"

          - task: Cache@2
            displayName: Cache dependency check data
            inputs:
              key: 'dependency-check | "$(Agent.OS)"'
              path: $(DEPENDENCY_CHECK_DATA)

          - task: dependency-check-build-task@6
            displayName: Run dependency-check analysis
            inputs:
              projectName: $(System.TeamProject)_$(Build.Repository.Name)
              scanPath: '.tox/**/py*'
              format: 'ALL'
              reportsDirectory: 'dependency-check'
              warnOnCVSSViolation: true
              enableExperimental: true

Thx for publishing your solution.

We run a nightly job that runs this command and zips up the files in the data directory.

./dependency-check/bin/dependency-check.sh --updateonly
ls -la ./dependency-check/data

That zip file is pushed to a CDN that provides a fast download for the zip file.

Then, we use the following build task to pull the zip file and unpack it into the data directory before running the scan. The --noupdate arg tells the scan to skip downloading the latest data sets

- task: dependency-check-build-task@6
      displayName: Run OWASP Dependency Check
      inputs:
        projectName: 'SCA'
        scanPath: '/tmp/app.jar'
        format: 'ALL'
        dependencyCheckVersion: '7.4.4'
        dataMirror: 'https://mycdn.com/data/7.4.4.zip'
        additionalArguments: '--noupdate'