Repository files navigation

This action uses the docker image built every night inhttps://github.com/dependency-check/DependencyCheck_Builder. This image includes the updated vulnerabilities database so there is no need to update it. Therefore, it speeds up the test.

This action is based upon the OWASP Dependency-Checktool, a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.

The action has three required parameters:

• project: the project name
• path: the scanpath
• format: the report format

Additionally, you can specify:

• out: the output folder location relative to the github workspace, by default it will bereports
• args: any remaining flags and parameters to the binary, check thearguments page for valid options

Example:

on: [push]jobs:  depchecktest:    runs-on: ubuntu-latest    name: depecheck_test    steps:      - name: Checkout        uses: actions/checkout@v2      - name: Build project with Maven        run: mvn clean install      - name: Depcheck        uses: dependency-check/Dependency-Check_Action@main        id: Depcheck        with:          project: 'test'          path: '.'          format: 'HTML'          out: 'reports' # this is the default, no need to specify unless you wish to override it          args: >            --failOnCVSS 7            --enableRetired      - name: Upload Test results        uses: actions/upload-artifact@master        with:           name: Depcheck report           path: ${{github.workspace}}/reports

When used in conjunction with the GitHub Actionsetup-java you will see the errorError: JAVA_HOME is not defined correctly

This is due to the environment variableJAVA_HOME being changed by the setup-java GitHub Action. To fix this problem you will need to resetJAVA_HOME to match how it's being set in the imageDependency-Check Docker Image within the Depcheck step.

Example:

...-name:Depcheckuses:dependency-check/Dependency-Check_Action@mainenv:# actions/setup-java@v1 changes JAVA_HOME so it needs to be reset to match the depcheck imageJAVA_HOME:/opt/jdk...

We recommend adding the above example into your .github/workflows directory, using a name of your choice, in this example main.yml.

It should look like this

Once that action kicks off, you should be able to see it running in the actions tab.

Finally, once it has completed, a report will be generated and accessible from the actions tab

Downloading this and opening it in a browser will give you the following (for example)

Dependency check action was developed by the Santander UK Security Engineering team, namely:

• Javier Domínguez Ruiz