Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Format Json report not compatible with gitlab-ci security dashboard, vulnerability report

See original GitHub issue

I read format json report of dependency check in gitlab: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#reports-json-format

But i run dependency check 6.0.0 with command: /opt/devsecops/dependency-check/bin/dependency-check.sh --proxyserver XXX --proxyport XXX --suppression XXX -s $CI_PROJECT_DIR -f ALL --project $CI_PROJECT_NAME --enableExperimental -o $CI_PROJECT_DIR --go $GOLANG_PATH

and export report to gitlab:

artifacts:
    when: always
    paths:
      - $CI_PROJECT_DIR/dependency-check-report.html
      - $CI_PROJECT_DIR/dependency-check-report.json
    reports:
      dependency_scanning: $CI_PROJECT_DIR/dependency-check-report.json

I read file report htmll and json and have bug critical. But not show in security dashboard, vulnerability report.

I try with template: https://gitlab.com/gitlab-ci-utils/gitlab-ci-templates/-/blob/master/jobs/OWASP-Dependency-Check.gitlab-ci.yml but not working, metrics.txt is zero.

I see this error bc conflict format json report of dependency check owasp and Reports JSON format dependency of gitlab.

Issue Analytics

State:
Created 2 years ago
Comments:8 (3 by maintainers)

Top GitHub Comments

1reaction

aikebahcommented, Sep 7, 2021

After fixing up the uri formats in a sarif report I had locally:

replace \/ by /
replace file://// by file:///

The SARIF file is considered valid by the generic validator. Activating the github ingestion rules yields one additional error:

SARIF2012: 'runs[0].tool.driver' does not provide a 'rules' property. 'rules' contain information that helps users understand why each rule fires and what the user can do to fix it.

Which matches with the requirements that github posted for it (https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#run-object):

Name	Description
`tool.driver.rules[]`	Required. …

So while not required by the SARIF specification, for Github ingestion the tool.driver.rules is a required property.

0reactions

jeremylongcommented, Jan 17, 2022

I have found several errors with the existing Sarif report. I created https://github.com/jeremylong/DependencyCheck/pull/3993 in order to address these issues. I have tested and GitHub is able to parse the updated sarif report.

Top Results From Across the Web

Vulnerability Report - GitLab Docs

The Vulnerability Report provides information about vulnerabilities from scans of the default branch. It contains cumulative results of all successful jobs, ...

Index · Sast · Application security · User · Help · GitLab

SAST outputs a report file in JSON format. The report file contains details of all found vulnerabilities. To download the report file, you...

Container scanning · Application security · User · Help · GitLab

GitLab checks the Container Scanning report, compares the found vulnerabilities between the source and target branches, and shows the information right on ...

Index · Sast · Application security - Help · GitLab - ETSI Labs

SAST outputs a report file in JSON format. The report file contains details of all found vulnerabilities. To download the report file, you...

Index · Dependency scanning · Application security · User · Help

CAUTION: Caution: The JSON report artifacts are not a public API of Dependency Scanning and their format may change in future. The Dependency...