The Problem
I have posted in the past about caching the National Vulnerability Database (NVD) used by Jeremy Long’s DependencyCheck tool via the associated Azure DevOps task.
Today I had an issue that on one pipeline the Azure DevOps task was reporting the following error
Starting: Dependency Check
==============================================================================
Task : OWASP Dependency Check
Description : Dependency Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project's dependencies.
Version : 6.3.0
Author : Dependency Check
Help : [More Information](https://github.com/dependency-check/azuredevops)
==============================================================================
Starting Dependency Check...
Setting report directory to D:\a\1\TestResults\dependency-check
Creating report directory at D:\a\1\TestResults\dependency-check
Downloading Dependency Check latest installer from GitHub..
Cannot read properties of undefined (reading 'find')
##[error]Cannot read properties of undefined (reading 'find')
##[error]Unhandled error condition detected.
Ending Dependency Check...
Finishing: Dependency Check
The Analysis
I tried a few things:
- Left the pipeline an hour and retried it, in case the issue was GitHub API throttling - it was not the issue.
- Checked that the error was not seen in other build pipelines - it was not, so not an issue with the downloading of the tools
- Checked that the error was not seen when the failing pipeline was run against another branch - it was not, so pointing to either
- an error in the YAML, which it was not as this had not changed between branches
- or a problem with the cached NVD data
The key point to remember is the Azure DevOps cache task is pipeline and branch aware. So by changing the pipeline or the branch swaps the cached dataset, so suggesting that the NVD data cached for my target branch was corrupt in some way.
The Solution
So I decided I needed a means to clear the cache without having to wait 7 days for it to expire. So I altered my yaml to add a parameter to disable the cache task, causing the Dependancy checker task to re-download it’s NVD data.
parameters:
# other params
- name: useCache
type: boolean
default: true
stages:
- stage: Build
jobs:
- job: Build
displayName: Build
cancelTimeoutInMinutes: 1
pool:
vmImage: windows-latest
steps:
- checkout: self
- powershell: |
$nvdcachepath = $(get-childitem "$(Agent.WorkFolder)\_tasks\dependency-check-build-task*\*.*.*\dependency-check\data").FullName
echo "##vso[task.setvariable variable=nvdcachepath;]$nvdcachepath"
displayName: Find the NVD Cache path
# create the cache
- task: Cache@2
inputs:
key: '"NVDCache" | "$(Agent.OS)"'
restoreKeys: |
NVDCache | "$(Agent.OS)"
NVDCache
path: $(nvdcachepath)
displayName: NVD Cache
enabled: ${{parameters.useCache}}
I committed this change to my branch, and the CI build ran and completed successfully.
This was not what I expected, as I had defaulted the new parameter to use the cache, I had hence expected the pipeline to fail as before, but then work when I manually ran the pipeline with the cache disabled.
So not sure what the take away is here. I suppose that having the option to disable the cache is always a good idea. But if you do see this type of issue, and you have no means to disable the cache then the simple action of adding the parameter might sort you out.