G’day, this blog post is about adding OWASP dependency check to Azure Build pipeline and universal packages being used for containing all the build output. SonarQube plugin will be MsBuild.exe and will perform the quality of the continuous integration.
OWASP Dependency Check – The purpose of dependency check it to check your dependencies for known vulnerabilities. It works cross-platform and Integrates well with SonarQube. Works both in Azure DevOps (online) and Server (on premise)
This plugin can be downloaded here – https://marketplace.visualstudio.com/items?itemName=InfoSupport.infosupport-owasp-dependecy-checker
For this demo project, we create a new project in AzureDevOps, LegacyToVogue. And, its scope to the build pipeline for the continuous integration part.
We have an empty Azure Repository over here, we will quickly import the code from github.
After importing the source code from github, we have all the required files from github now.
Once the source code is available we will create the Azure Build Pipeline, and later on we will add the required plugins. Also please move over to the azure marketplace and download the required plugins.
For Universal packages – According to Microsoft definition, Universal Packages store one or more files together in a single unit that has a name and version. You can publish Universal Packages from the command line by using the Azure CLI. In simple terms, we will keep it to hold the build output and later use it for Release pipeline.
Lets create an artefacts feed, we will use this for storing build output.
Lets move over to our Azure Build Pipeline, and add a new task for OWASP Dependency Check.
Lets also add Universal package task, to ensure we are storing the build output will all the required dependencies to be used for release pipeline. Please have the destination feed ready in Azure Artifacts.
Once the tasks are done, and YAML tasks code matches as above, we will trigger the build and we will see the outcome.