This action uses the docker image built every night in https://github.com/dependency-check/DependencyCheck_Builder. This image includes the updated vulnerabilities database so there is no need to update it. Therefore, it speeds up the test.
This action is based upon the OWASP Dependency-Check tool, a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
The action has three required parameters:
project
: the project namepath
: the scanpathformat
: the report format
Additionally, you can specify:
out
: the output folder location relative to the github workspace, by default it will bereports
args
: any remaining flags and parameters to the binary, check the arguments page for valid options
Example:
on: [push]
jobs:
depchecktest:
runs-on: ubuntu-latest
name: depecheck_test
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Build project with Maven
run: mvn clean install
- name: Depcheck
uses: dependency-check/Dependency-Check_Action@main
id: Depcheck
with:
project: 'test'
path: '.'
format: 'HTML'
out: 'reports' # this is the default, no need to specify unless you wish to override it
args: >
--failOnCVSS 7
--enableRetired
- name: Upload Test results
uses: actions/upload-artifact@master
with:
name: Depcheck report
path: ${{github.workspace}}/reports
When used in conjunction with the GitHub Action setup-java you will see the error Error: JAVA_HOME is not defined correctly
This is due to the environment variable JAVA_HOME
being changed by the setup-java GitHub Action. To fix this problem you will need to reset JAVA_HOME
to match how it's being set in the image Dependency-Check Docker Image within the Depcheck step.
Example:
```yaml
...
- name: Depcheck
uses: dependency-check/Dependency-Check_Action@main
env:
# actions/setup-java@v1 changes JAVA_HOME so it needs to be reset to match the depcheck image
JAVA_HOME: /opt/jdk
...
We recommend adding the above example into your .github/workflows directory, using a name of your choice, in this example main.yml.
It should look like this
Once that action kicks off, you should be able to see it running in the actions tab.
Finally, once it has completed, a report will be generated and accessible from the actions tab
Downloading this and opening it in a browser will give you the following (for example)
Dependency check action was developed by the Santander UK Security Engineering team, namely: