Skip to content

Protocols-sec/Dependency-Check_Action

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

35 Commits
img
img
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
action.yml
action.yml
 
 
entrypoint.sh
entrypoint.sh
 
 
readme.md
readme.md
 
 

Repository files navigation

Welcome to Dependency check action

This action uses the docker image built every night in https://github.com/dependency-check/DependencyCheck_Builder. This image includes the updated vulnerabilities database so there is no need to update it. Therefore, it speeds up the test.

What is Dependency-Check?

This action is based upon the OWASP Dependency-Check tool, a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.

How does it work?

The action has three required parameters:

  • project: the project name
  • path: the scanpath
  • format: the report format

Additionally, you can specify:

  • out: the output folder location relative to the github workspace, by default it will be reports
  • args: any remaining flags and parameters to the binary, check the arguments page for valid options

Example:

 on: [push] jobs: depchecktest: runs-on: ubuntu-latest name: depecheck_test steps: - name: Checkout uses: actions/checkout@v2 - name: Build project with Maven run: mvn clean install - name: Depcheck uses: dependency-check/Dependency-Check_Action@main id: Depcheck with: project: 'test' path: '.' format: 'HTML' out: 'reports' # this is the default, no need to specify unless you wish to override it args: > --failOnCVSS 7 --enableRetired - name: Upload Test results uses: actions/upload-artifact@master with: name: Depcheck report path: ${{github.workspace}}/reports

Error: JAVA_HOME is not defined correctly

When used in conjunction with the GitHub Action setup-java you will see the error Error: JAVA_HOME is not defined correctly

This is due to the environment variable JAVA_HOME being changed by the setup-java GitHub Action. To fix this problem you will need to reset JAVA_HOME to match how it's being set in the image Dependency-Check Docker Image within the Depcheck step.

Example:

... - name: Depcheck uses: dependency-check/Dependency-Check_Action@main env: # actions/setup-java@v1 changes JAVA_HOME so it needs to be reset to match the depcheck image JAVA_HOME: /opt/jdk ...

How Do I Use It?

We recommend adding the above example into your .github/workflows directory, using a name of your choice, in this example main.yml.

It should look like this

Once that action kicks off, you should be able to see it running in the actions tab.

Finally, once it has completed, a report will be generated and accessible from the actions tab

Downloading this and opening it in a browser will give you the following (for example)

Who Is Behind It?

Dependency check action was developed by the Santander UK Security Engineering team, namely:

About

Github action to run dependency check

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Dockerfile 86.0%
  • Shell 14.0%