I've recently migrated from Snyk Scan pipe to Bitbucket Dependency Scanner, but I'm running into an issue.
I'm using
script:
- pipe: atlassian/bitbucket-dependency-scanner:0.5.0
variables:
NVD_API_KEY: $NVD_API_KEY
EXTRA_ARGS:
- "--failOnCVSS=7"and I expect for it to generate a CodeInsights report when it fails, just like Snyk Scan does, but Bitbucket Dependency Scanner doesn't.
It generates a report only if it succeeds, but I want the pipeline to fail in case a vulnerability needs to be addressed.
Can the code for the pipe be changed to something like
...
try:
process = subprocess.run(
scan_command,
check=True,
text=True,
encoding='utf-8',
capture_output=True
)
except subprocess.CalledProcessError as e:
if e.returncode != 0:
if self.should_create_report:
self.log_info('Generating CodeInsights reports...')
self.create_code_insights_report()
self.fail(message=f'Dependency scan failed. The result status code: {e.returncode}, {e.output} {e.stderr}')
self.log_warning(f' detect result status code: {e.returncode}, {e.output} {e.stderr}')
else:
self.log_info(process.stdout)
if self.should_create_report:
self.log_info('Generating CodeInsights reports...')
self.create_code_insights_report()
...
instead of the current version below?
...
try:
process = subprocess.run(
scan_command,
check=True,
text=True,
encoding='utf-8',
capture_output=True
)
except subprocess.CalledProcessError as e:
if e.returncode != 0:
self.fail(message=f'Dependency scan failed. The result status code: {e.returncode}, {e.output} {e.stderr}')
self.log_warning(f' detect result status code: {e.returncode}, {e.output} {e.stderr}')
else:
self.log_info(process.stdout)
if self.should_create_report:
self.log_info('Generating CodeInsights reports...')
self.create_code_insights_report()
...
I'd open a PR myself to discuss it if it were possible.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.