Merge pull request #50 from dependency-check/develop

v6.0.2 Release

Author: ejohn20

.gitignore

@@ -23,6 +23,7 @@ dist/
 
 # Visual Studio 2015 cache/options directory
 .vs/
+.pumafile
 
 node_modules
 .vscode

build/data-cache/data-cache.sh

@@ -6,7 +6,7 @@ BUCKET_NAME=$3
 DISTRIBUTION_ID=$4
 
 #install dep check
-curl -sLo ./dependency-check-$VERSION-release.zip https://dl.bintray.com/jeremy-long/owasp/dependency-check-$VERSION-release.zip
+curl -sLo ./dependency-check-$VERSION-release.zip https://github.com/jeremylong/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip
 unzip -q ./dependency-check-$VERSION-release.zip
 
 #version check

src/Tasks/dependency-check-build-task/dependency-check-build-task.ps1

@@ -32,28 +32,36 @@ try {
     $format = Get-VstsInput -Name 'format' -Require
     $failOnCVSS = Get-VstsInput -Name 'failOnCVSS' -Default ''
     $suppressionPath = Get-VstsInput -Name 'suppressionPath' -Default ''
+    $reportsDirectory = Get-VstsInput -Name 'reportsDirectory' -Default ''
     $enableExperimental = Get-VstsInput -Name 'enableExperimental' -Require -AsBool
     $enableRetired = Get-VstsInput -Name 'enableRetired' -Require -AsBool
     $enableVerbose = Get-VstsInput -Name 'enableVerbose' -Require -AsBool
-    $dataMirrorJson = Get-VstsInput -Name 'dataMirrorJson' -Default ''
-    $dataMirrorOdc = Get-VstsInput -Name 'dataMirrorOdc' -Default ''
+    $localInstallPath = Get-VstsInput -Name 'localInstallPath' -Default ''
+    $dependencyCheckVersion = Get-VstsInput -Name 'dependencyCheckVersion' -Default '6.0.2'
+    $dataMirror = Get-VstsInput -Name 'dataMirror' -Default ''
+    
     $additionalArguments = Get-VstsInput -Name 'additionalArguments' -Default ''
 
     #Trim the strings
     $projectName = $projectName.Trim();
     $scanPath = $scanPath.Trim();
     $excludePath = $excludePath.Trim();
     $suppressionPath = $suppressionPath.Trim();
+    $reportsDirectory = $reportsDirectory.Trim();
     $additionalArguments = $additionalArguments.Trim();
+    $localInstallPath = $localInstallPath.Trim();
 
-    #Create reports directory
-    $testDirectory = $Env:COMMON_TESTRESULTSDIRECTORY
-    $reportsDirectory = "$testDirectory\dependency-check"
+    #Set reports directory (if necessary)
+    if ($Env:BUILD_REPOSITORY_LOCALPATH -eq $reportsDirectory){
+        $testDirectory = $Env:COMMON_TESTRESULTSDIRECTORY
+        $reportsDirectory = "$testDirectory\dependency-check"
+    }
+    Write-Host "Setting report directory to $reportsDirectory"
 
-    # Check if report directory does not exist
+    # Create report directory (if necessary)
     if(!(Test-Path -Path $reportsDirectory))
     {
-        Write-Host "Creating dependency check test results directory at $reportsDirectory"
+        Write-Host "Creating report directory at $reportsDirectory"
         New-Item $reportsDirectory -Type Directory
     }
 
@@ -105,46 +113,42 @@ try {
         $arguments = $arguments + " " + $additionalArguments
     }
 
-    #Get dependency check path
-    $binDirectory = "dependency-check"
-    $binDirectory = $binDirectory | Resolve-Path
-
     #Set PS invoke web args
     [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
     $ProgressPreference = 'SilentlyContinue'
 
-    # Pull installer file
-    if(Test-Path $binDirectory -PathType Container) {
-        Write-Host -Verbose "Downloading Dependency Check installer..."
-        Invoke-WebRequest "https://dl.bintray.com/jeremy-long/owasp/dependency-check-5.3.2-release.zip" -OutFile "dependency-check-5.3.2-release.zip"
-        Expand-Archive -Path dependency-check-5.3.2-release.zip -DestinationPath . -Force
+    # Set installation location
+    if ($Env:BUILD_REPOSITORY_LOCALPATH -eq $localInstallPath){
+        #Get dependency check path
+        $localInstallPath = "dependency-check"
+        $localInstallPath = $localInstallPath | Resolve-Path
+
+        if(Test-Path $localInstallPath -PathType Container) {
+            Write-Host -Verbose "Downloading Dependency Check v$dependencyCheckVersion installer..."
+            Invoke-WebRequest "https://github.com/jeremylong/DependencyCheck/releases/download/v$dependencyCheckVersion/dependency-check-$dependencyCheckVersion-release.zip" -OutFile "dependency-check-release.zip" 
+            Expand-Archive -Path dependency-check-release.zip -DestinationPath . -Force
+        }
     }
 
     #Get dependency check data dir path
-    $dataDirectory = "dependency-check/data"
+    $dataDirectory = "$localInstallPath/data"
     $dataDirectoryPath = $dataDirectory | Resolve-Path
 
-    # Pull JSON cached file
-    if([string]::IsNullOrEmpty($dataMirrorJson) -eq $false ) {
+    # Pull cached data archive
+    if([string]::IsNullOrEmpty($dataMirror) -eq $false ) {
         if(Test-Path $dataDirectoryPath -PathType Container) {
-            Write-Host -Verbose "Downloading Dependency Check vulnerability JSON data mirror..."
-            Invoke-WebRequest $dataMirrorJson -OutFile "$dataDirectory/jsrepository.json"
-        }
-    }
-
-    # Pull ODC cached file
-    if([string]::IsNullOrEmpty($dataMirrorOdc) -eq $false ) {
-        if(Test-Path $dataDirectoryPath -PathType Container) {
-            Write-Host -Verbose "Downloading Dependency Check vulnerability DB data mirror..."
-            Invoke-WebRequest $dataMirrorOdc -OutFile "$dataDirectory/odc.mv.db"
+            Write-Host -Verbose "Downloading Dependency Check data cache archive..."
+            Invoke-WebRequest $dataMirror -OutFile "$dataDirectory/data.zip"
+            Expand-Archive -Path "$dataDirectory/data.zip" -DestinationPath "$dataDirectory" -Force
         }
     }
 
     #Get dependency check script path
     $depCheck = "dependency-check.bat"    
-    $depCheckScripts = "dependency-check/bin"
+    $depCheckScripts = "$localInstallPath/bin"
     $depCheckPath = $depCheckScripts | Resolve-Path | Join-Path -ChildPath "$depCheck"
-    
+    Write-Host -Verbose "Dependency Check installer set to $depCheckPath"
+
     #Default status to pass, change evaling the exit code below
     $failed = $false
 

src/Tasks/dependency-check-build-task/task.json

@@ -75,6 +75,14 @@
       "required": false,
       "helpMarkDown": "The file path to the suppression XML file used to suppress false positives. This can be specified more than once to utilize multiple suppression files. The argument can be a local file path, a URL to a suppression file, or even a reference to a file on the class path."
     },
+    {
+      "name": "reportsDirectory",
+      "type": "filePath",
+      "label": "Report Directory",
+      "defaultValue": "",
+      "required": false,
+      "helpMarkDown": "Report output directory. On-prem build agents can specify a local directory to override the default location. The default location is the $COMMON_TESTRESULTSDIRECTORY\\dependency-check directory."
+    },
     {
       "name": "enableExperimental",
       "type": "boolean",
@@ -100,28 +108,36 @@
       "helpMarkDown": "Enable verbose logging."
     },
     {
-      "name": "dataMirrorOdc",
-      "type": "string",
-      "label": "ODC Database File Mirror (odc.mv.db) URL",
-      "helpMarkDown": "The https path to the cached Dependency Check database file (odc.mv.db).",
+      "name": "additionalArguments",
+      "type": "multiLine",
+      "label": "Additional Arguments",
+      "defaultValue": "",
+      "required": false,
+      "helpMarkDown": "Pass additional command line arguments to the Dependency Check command line interface."
+    },
+    {
+      "name": "localInstallPath",
+      "type": "filePath",
+      "label": "Local Install Path",
+      "helpMarkDown": "The local path to the `dependency-check` installation directory (on-prem build agents only). Setting this field will run Dependency Check locally instead of downloading the installer onto the build agent.",
       "defaultValue": "",
       "required": false
     },
     {
-      "name": "dataMirrorJson",
+      "name": "dependencyCheckVersion",
       "type": "string",
-      "label": "JSON Repository File Mirror (jsrepository.json) URL",
-      "helpMarkDown": "The https path to the cached Dependency Check JSON repository file (jsrepository.json).",
-      "defaultValue": "",
+      "label": "Installer Version",
+      "helpMarkDown": "The Dependency Check version to download (cloud-hosted build agents only). Setting this field will download Dependency Check locally onto the build agent during execution.",
+      "defaultValue": "6.0.2",
       "required": false
     },
     {
-      "name": "additionalArguments",
-      "type": "multiLine",
-      "label": "Additional Arguments",
+      "name": "dataMirror",
+      "type": "string",
+      "label": "Data Mirror Archive URL",
+      "helpMarkDown": "The https path to the compressed Dependency Check data directory (containing the odc.mv.db and jsrepository.json files).",
       "defaultValue": "",
-      "required": false,
-      "helpMarkDown": "Pass additional command line arguments to the Dependency Check command line interface."
+      "required": false
     }
   ],
   "instanceNameFormat": "Dependency Check",