Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add cache method in documentation #110

Open
LvffY opened this issue Nov 9, 2022 · 2 comments
Open

Add cache method in documentation #110

LvffY opened this issue Nov 9, 2022 · 2 comments

Comments

@LvffY
Copy link

LvffY commented Nov 9, 2022

Hello

I think that most people want to reduce the runtime of their pipelines.

Because of that, I recently needed to search for a way to cache dependency-check CVE data (because it was most of the time of the dependency-check analysis, even for large repositories with many dependencies.)

I think that we need to add an "official" method on how to cache dependency-check data. For example, in my case, my dependency-check analysis passed from 2m19s of execution to 13s ... Which can be greatly appreciated for most users !

My solution

Here is the solution I found (I don't necessarily say that is the best way, just my way, can take advices here :)) :

          - task: Bash@3
            displayName: 'Look for dependency-check data directory'
            inputs:
              targetType: 'inline'
              script: |
                # Find for dependency-check root directory
                dc_directory=$(find $AGENT_WORKFOLDER/_tasks -type d -name dependency-check)
                echo "##vso[task.setvariable variable=DEPENDENCY_CHECK_DATA]${dc_directory}/data"

          - task: Cache@2
            displayName: Cache dependency check data
            inputs:
              key: 'dependency-check | "$(Agent.OS)"'
              path: $(DEPENDENCY_CHECK_DATA)

          - task: dependency-check-build-task@6
            displayName: Run dependency-check analysis
            inputs:
              projectName: $(System.TeamProject)_$(Build.Repository.Name)
              scanPath: '.tox/**/py*'
              format: 'ALL'
              reportsDirectory: 'dependency-check'
              warnOnCVSSViolation: true
              enableExperimental: true
@pimschrama
Copy link

Thx for publishing your solution.

@HaGGi13 HaGGi13 mentioned this issue Jan 22, 2023
Closed
@ejohn20
Copy link
Collaborator

ejohn20 commented Jan 23, 2023

We run a nightly job that runs this command and zips up the files in the data directory.

./dependency-check/bin/dependency-check.sh --updateonly
ls -la ./dependency-check/data

That zip file is pushed to a CDN that provides a fast download for the zip file.

Then, we use the following build task to pull the zip file and unpack it into the data directory before running the scan. The --noupdate arg tells the scan to skip downloading the latest data sets

- task: dependency-check-build-task@6
      displayName: Run OWASP Dependency Check
      inputs:
        projectName: 'SCA'
        scanPath: '/tmp/app.jar'
        format: 'ALL'
        dependencyCheckVersion: '7.4.4'
        dataMirror: 'https://mycdn.com/data/7.4.4.zip'
        additionalArguments: '--noupdate'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ejohn20 @pimschrama @LvffY