Hi
I am creating a pipeline and using this to try and get the vulnerabilities and stop the build with notifcation of issues:
dotnet list package --vulnerable --include-transitive 2>&1 | tee build.log
grep -q -i "critical\|high\|moderate\|low" build.log; [ $? -eq 0 ] && echo "Security Vulnerabilities found on the log output" && exit 1
Line 1 works but line 2 errors and the pipeline does not build.
This is where I found the example:
Thanks.
Dave
Hey @DavidL ! Thank you for reaching out to the community!
I think the command is failing because by default grep will return a non-zero exit code when no matching string is found in the file, and pipelines will immediately fail the build when a non-exit code is returned.
In this case, I would suggest adding the grep command directly on an if statement condition, so bash will not abort the pipeline when resolving the exit code. The command in your step would look like the following :
pipelines:
default:
- step:
name: My test
script:
- dotnet list package --vulnerable --include-transitive 2>&1 | tee build.log
- cat build.log
- if grep -q -i "critical\|high\|moderate\|low" build.log;then echo "Security Vulnerabilities found on the log output" && exit 1;fi
- <rest of your commands>
You can try testing based on the example above and let us know how it goes.
Thank you, @DavidL !
Patrik S
Hi Patrik
Thanks for the response, it still does not work, there is also an error when trying to get the assets file on the packages along with it still erroring run the grep command, it does not seem to show an error on the grep command however?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hey @DavidL ,
This error seems to be specific to dotnet. The documentation you shared in the questions states that a dotnet restore is required before the dotnet list package command. You can include that dotnet restore command as the first command in the pipeline step and verify if the issue is solved.
If the error is still happening, I would suggest debugging your pipeline locally in a docker container following the instruction in the article below :
With this option, you can test different approaches to fix the issue locally without wasting your bitbucket pipeline build minutes. Once it's running fine locally, you can then push the changes to Bitbucket and the pipeline should complete successfully as well.
Thank you, @DavidL !
Patrik S
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks, I now have the dotnet vulnerability check working at least, however it is actually reporting issues with the dotnet docker image/dot net sdk, which is the latest one!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.