warnOnCVSSViolation not working with dependency check 8.0.0
stirrblig opened this issue · 1 comments
stirrblig commented
The dependency checker version 8.0.0 has changed its exit codes.
https://github.com/jeremylong/DependencyCheck/releases/tag/v8.0.0
The exit codes from the CLI have been changed to be in the range from 0-255
Because of this, the check in https://github.com/dependency-check/azuredevops/blob/main/src/Tasks/dependency-check-build-task/dependency-check-build-task.ts is no longer working, since it's expecting error code 1:
let failed = exitCode != 0;
let isViolation = exitCode == 1;
...
if (failed) {
if(isViolation) {
message = "CVSS threshold violation.";
if(warnOnCVSSViolation) {
result = tl.TaskResult.SucceededWithIssues
}
else {
result = tl.TaskResult.Failed
This means that the build step fails, instead of throwing error, even when warnOnCVSSViolation
is set to true
.
Workaround
In the azure-pipeline.yaml, specify specific version to the previous version:
dependencyCheckVersion: '7.4.4'
ejohn20 commented
I'm unable to reproduce this in my demo pipelines. I have merged this and released in v6.1.0. Please verify that the fix is working as expected.