Pipeline .net get vulnerabilities

DavidL July 5, 2023

Hi

I am creating a pipeline and using this to try and get the vulnerabilities and stop the build with notifcation of issues:

dotnet list package --vulnerable --include-transitive 2>&1 | tee build.log


grep -q -i "critical\|high\|moderate\|low" build.log; [ $? -eq 0 ] && echo "Security Vulnerabilities found on the log output" && exit 1

Line 1 works but line 2 errors and the pipeline does not build.

This is where I found the example:

https://www.mytechramblings.com/posts/check-if-your-dotnet-app-dependencies-has-a-security-vulnerability-on-you-cicd-pipelines/

Thanks.

Dave

1 answer

1 vote
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 6, 2023

Hey @DavidL ! Thank you for reaching out to the community!

I think the command is failing because by default grep will return a non-zero exit code when no matching string is found in the file, and pipelines will immediately fail the build when a non-exit code is returned.

In this case, I would suggest adding the grep command directly on an if statement condition, so bash will not abort the pipeline when resolving the exit code. The command in your step would look like the following : 

pipelines:
  default:
    - step:
        name: My test
        script:
- dotnet list package --vulnerable --include-transitive 2>&1 | tee build.log
          - cat build.log
          - if grep -q -i "critical\|high\|moderate\|low" build.log;then echo "Security Vulnerabilities found on the log output" && exit 1;fi
          - <rest of your commands>

You can try testing based on the example above and let us know how it goes.

Thank you, @DavidL !

Patrik S

DavidL July 10, 2023

Hi Patrik


Thanks for the response, it still does not work, there is also an error when trying to get the assets file on the packages along with it still erroring run the grep command, it does not seem to show an error on the grep command however?

Screenshot 2023-07-10 101658.png

Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 13, 2023

Hey @DavidL ,

This error seems to be specific to dotnet. The documentation you shared in the questions states that a dotnet restore is required before the dotnet list package command. You can include that dotnet restore command as the first command in the pipeline step and verify if the issue is solved.

If the error is still happening, I would suggest debugging your pipeline locally in a docker container following the instruction in the article below : 

With this option, you can test different approaches to fix the issue locally without wasting your bitbucket pipeline build minutes. Once it's running fine locally, you can then push the changes to Bitbucket and the pipeline should complete successfully as well.

Thank you, @DavidL !

Patrik S

DavidL July 13, 2023

Thanks, I now have the dotnet vulnerability check working at least, however it is actually reporting issues with the dotnet docker image/dot net sdk, which is the latest one!

Screenshot 2023-07-13 172915.png

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PERMISSIONS LEVEL
Site Admin
TAGS
AUG Leaders

Atlassian Community Events