dependency-check/azuredevops

Can you elaborate why the extension needs Build execute permissions?

Opened this issue · 2 comments

image

Hi there,

we've noticed that the DevOps-extension needs "Build (read and execute)" permissions and we where wondering why the execute is needed.

Can someone elaborate?

Thanks!

Hello,

AFAIK and I saw in the code, the extension uploads the analysis result and if enabled log file (verbose logging) to the build artifacts. You'll find the code in following snipped in line 218 and 2023:

if (processArtifacts) {
logDebug('Attachments:');
let reports = tl.findMatch(reportsDirectory, '**/*.*');
reports.forEach(filePath => {
let fileName = path.basename(filePath).replace('.', '%2E');
let fileExt = path.extname(filePath);
logDebug(`Attachment name: ${fileName}`);
logDebug(`Attachment path: ${filePath}`);
logDebug(`Attachment type: ${fileExt}`);
console.log(`##vso[task.addattachment type=dependencycheck-artifact;name=${fileName};]${filePath}`);
console.log(`##vso[artifact.upload containerfolder=dependency-check;artifactname=Dependency Check;]${filePath}`);
})
// Upload logs
if (enableVerbose)
console.log(`##vso[build.uploadlog]${logFile}`);
}

As you'll find in the MS Docs > Supported scopes, this can be done with scope vso.build_execute that was defined for this extension.

BR, CW

Hi @HaGGi13!

Thanks for your answer. I don't agree that publishing artifacts need the "Build & Execute"-permission.
imo the Microsoft Doc states that the permission is needed to access already built artifacts but I might be wrong here.

Still, if your statement is correct, the "Build"-permission should suffice.

I would advise the developers of the extension to test the extension w/o granting the "Build & Execute"-permissions and see whether all the features are still working properly.

The reason I think this is so important is that CVE-checks will mostly be used in pipelines by companies, which have to comply to certain security guidelines.
Granting a DevOps-extension, which does not have the greatest popularity or developer count and updates itself more or less regularly, the "Build & Execute"-permission, might seem very critical to those companies.

Anyways, thanks a lot for your response!
I just think that you need no permissions to publish pipeline artifacts from a extension.

Greetings,
Zacharias3D