I have implemented a step in my pipeline which runs the dependency scanner tool to check my project; it generates a JSON and an HTML report and should generate the CodeInsights report by (default).
- step: &dependency-check
   name: Run Dependency Check
   script:
     - if [ -z "$NVD_API_KEY" ]; then echo "NVD_API_KEY is required"; exit 1; fi
     - pipe: atlassian/bitbucket-dependency-scanner:0.1.3
       variables:
         NVD_API_KEY: $NVD_API_KEY
         EXTRA_ARGS:
            - "--format=HTML"
            - "--failOnCVSS=7"
   artifacts:
     - dependency-check-report.json
     - dependency-check-report.html
However, despite the dependency-check-report.json file being generated, I consistently get an error when the CodeInsights Report is attempting to be generated. I am able to get the reports in my list of artefacts, but the report doesn't appear in the reports tab, and the step fails in the pipeline.
[INFO] Analysis Started
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Nuspec Analyzer (0 seconds)
[INFO] Finished MSBuild Project Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished NPM CPE Analyzer (1 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (2 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Known Exploited Vulnerability Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/io\.etcd/jetcd-[a-z]*@.*$, regex=true, caseSensitive=false},cpe={PropertyType{value=cpe:/a:redhat:etcd, regex=false, caseSensitive=false},PropertyType{value=cpe:/a:etcd:etcd, regex=false, caseSensitive=false},}}
[INFO] Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/io\.etcd/jetcd-grpc@.*$, regex=true, caseSensitive=false},cpe={PropertyType{value=cpe:/a:grpc:grpc, regex=false, caseSensitive=false},}}
[INFO] Finished Unused Suppression Rule Analyzer (0 seconds)
[INFO] Analysis Complete (4 seconds)
[INFO] Writing JSON report to: /opt/atlassian/pipelines/agent/build/reports/dependency-check-report.json
[INFO] Writing HTML report to: /opt/atlassian/pipelines/agent/build/reports/dependency-check-report.html
INFO: None
INFO: Generating CodeInsights reports...
INFO: Loading the scanner's results ./reports/dependency-check-report.json
Traceback (most recent call last):
  File "/pipe.py", line 226, in 
    pipe.run()
  File "/pipe.py", line 214, in run
    self.create_code_insights_report()
  File "/pipe.py", line 56, in create_code_insights_report
    report_id = self.create_report(results_data)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: 'bool' object is not callable
I have tried to use an alternative directory structure, as well as not directory and kept the settings as default to generate the files in the root, but nothing seems to be working to get past this error, which seems to have an issue with loading the specified file and generating the report. Any help appreciated.
looks like something is happening :) https://bitbucket.org/atlassian/bitbucket-dependency-scanner/commits/9a697f936657f1cdff9fddb6b9cc0f8306c389d1
@Tomáš Kováčik coming soon ... :)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Max H
Thanks for your question!
Could you add DEBUG to the configuration and provide us with debug logs.
We'll investigate your case.
Best regards,
Oleksandr Kyrdan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Here is the last section of the log file (after the analysis of the files is complete). I have redacted the references to our project and vulnerabilities and was not able to identify any obvious issues with the flow of the code.
INFO - Finished Unused Suppression Rule Analyzer (0 seconds)
2024-11-08 13:12:59,510 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Archive Analyzer'
2024-11-08 13:12:59,510 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Ruby Bundle Audit Analyzer'
2024-11-08 13:12:59,510 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Elixir Mix Audit Analyzer'
2024-11-08 13:12:59,511 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'File Name Analyzer'
2024-11-08 13:12:59,511 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Jar Analyzer'
2024-11-08 13:12:59,511 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Central Analyzer'
2024-11-08 13:12:59,511 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Nexus Analyzer'
2024-11-08 13:12:59,511 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Artifactory Analyzer'
2024-11-08 13:12:59,511 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Nuspec Analyzer'
2024-11-08 13:12:59,511 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Nugetconf Analyzer'
2024-11-08 13:12:59,511 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'MSBuild Project Analyzer'
2024-11-08 13:12:59,511 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Assembly Analyzer'
2024-11-08 13:12:59,511 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Python Distribution Analyzer'
2024-11-08 13:12:59,511 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Python Package Analyzer'
2024-11-08 13:12:59,511 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'pip Analyzer'
2024-11-08 13:12:59,511 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Pipfile Analyzer'
2024-11-08 13:12:59,511 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Pipfile.lock Analyzer'
2024-11-08 13:12:59,511 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Poetry Analyzer'
2024-11-08 13:12:59,511 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Autoconf Analyzer'
2024-11-08 13:12:59,511 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'OpenSSL Source Analyzer'
2024-11-08 13:12:59,511 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'CMake Analyzer'
2024-11-08 13:12:59,511 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Node.js Package Analyzer'
2024-11-08 13:12:59,511 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Golang Mod Analyzer'
2024-11-08 13:12:59,511 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Golang Dep Analyzer'
2024-11-08 13:12:59,511 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Ruby Gemspec Analyzer'
2024-11-08 13:12:59,511 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Ruby Bundler Analyzer'
2024-11-08 13:12:59,511 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Composer.lock analyzer'
2024-11-08 13:12:59,511 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'CocoaPods Package Analyzer'
2024-11-08 13:12:59,512 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Carthage Package Analyzer'
2024-11-08 13:12:59,512 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'SWIFT Package Manager Analyzer'
2024-11-08 13:12:59,512 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'SWIFT Package Resolved Analyzer'
2024-11-08 13:12:59,512 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Perl cpanfile Analyzer'
2024-11-08 13:12:59,512 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Pinned Maven install Analyzer'
2024-11-08 13:12:59,512 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Dart Package Analyzer'
2024-11-08 13:12:59,512 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Libman Analyzer'
2024-11-08 13:12:59,512 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'PE Analyzer'
2024-11-08 13:12:59,512 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Dependency Merging Analyzer'
2024-11-08 13:12:59,512 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Hint Analyzer'
2024-11-08 13:12:59,512 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Version Filter Analyzer'
2024-11-08 13:12:59,512 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'NPM CPE Analyzer'
2024-11-08 13:12:59,515 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'CPE Analyzer'
2024-11-08 13:12:59,515 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'False Positive Analyzer'
2024-11-08 13:12:59,515 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'NVD CVE Analyzer'
2024-11-08 13:12:59,515 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Node Audit Analyzer'
2024-11-08 13:12:59,515 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Yarn Audit Analyzer'
2024-11-08 13:12:59,515 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Pnpm Audit Analyzer'
2024-11-08 13:12:59,515 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'RetireJS Analyzer'
2024-11-08 13:12:59,515 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Sonatype OSS Index Analyzer'
2024-11-08 13:12:59,515 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Vulnerability Suppression Analyzer'
2024-11-08 13:12:59,515 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Known Exploited Vulnerability Analyzer'
2024-11-08 13:12:59,515 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Dependency Bundling Analyzer'
2024-11-08 13:12:59,515 org.owasp.dependencycheck.Engine:860
DEBUG - Closing Analyzer 'Unused Suppression Rule Analyzer'
2024-11-08 13:12:59,515 org.owasp.dependencycheck.Engine:689
DEBUG -
----------------------------------------------------
END ANALYSIS
----------------------------------------------------
2024-11-08 13:12:59,515 org.owasp.dependencycheck.Engine:691
INFO - Analysis Complete (4 seconds)
2024-11-08 13:12:59,529 org.apache.velocity.runtime.RuntimeInstance:272
DEBUG - Initializing Velocity, Calling init()...
2024-11-08 13:12:59,529 org.apache.velocity.runtime.RuntimeInstance:276
DEBUG - Starting Apache Velocity v2.3
2024-11-08 13:12:59,532 org.apache.velocity.runtime.RuntimeInstance:522
DEBUG - Default Properties resource: org/apache/velocity/runtime/defaults/velocity.properties
2024-11-08 13:12:59,536 org.apache.velocity.runtime.resource.loader.ResourceLoaderFactory:48
DEBUG - ResourceLoader instantiated: org.apache.velocity.runtime.resource.loader.FileResourceLoader
2024-11-08 13:12:59,537 org.apache.velocity.runtime.resource.loader.FileResourceLoader:84
DEBUG - FileResourceLoader: adding path '.'
2024-11-08 13:12:59,537 org.apache.velocity.runtime.resource.ResourceCacheImpl:119
DEBUG - initialized (class org.apache.velocity.runtime.resource.ResourceCacheImpl) with class java.util.Collections$SynchronizedMap cache map.
2024-11-08 13:12:59,539 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Stop
2024-11-08 13:12:59,539 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Define
2024-11-08 13:12:59,540 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Break
2024-11-08 13:12:59,540 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Evaluate
2024-11-08 13:12:59,540 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Macro
2024-11-08 13:12:59,541 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Parse
2024-11-08 13:12:59,542 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Include
2024-11-08 13:12:59,542 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Foreach
2024-11-08 13:12:59,557 org.apache.velocity.runtime.ParserPoolImpl:57
DEBUG - Created '20' parsers.
2024-11-08 13:12:59,570 org.apache.velocity.runtime.VelocimacroFactory:152
DEBUG - "velocimacro.library.path" is not set. Trying default library: velocimacros.vtl
2024-11-08 13:12:59,571 org.apache.velocity.runtime.VelocimacroFactory:162
DEBUG - Default library velocimacros.vtl not found. Trying old default library: VM_global_library.vm
2024-11-08 13:12:59,571 org.apache.velocity.runtime.VelocimacroFactory:169
DEBUG - Old default library VM_global_library.vm not found.
2024-11-08 13:12:59,571 org.apache.velocity.runtime.VelocimacroFactory:253
DEBUG - allowInline = true: VMs can be defined inline in templates
2024-11-08 13:12:59,571 org.apache.velocity.runtime.VelocimacroFactory:274
DEBUG - allowInlineToOverride = false: VMs defined inline may NOT replace previous VM definitions
2024-11-08 13:12:59,571 org.apache.velocity.runtime.VelocimacroFactory:297
DEBUG - allowInlineLocal = false: VMs defined inline will be global in scope if allowed.
2024-11-08 13:12:59,571 org.apache.velocity.runtime.VelocimacroFactory:315
DEBUG - autoload off: VM system will not automatically reload global library macros
2024-11-08 13:12:59,575 org.owasp.dependencycheck.reporting.ReportGenerator:358
INFO - Writing JSON report to: /opt/atlassian/pipelines/agent/build/./dependency-check-report.json
2024-11-08 13:12:59,617 org.apache.velocity.runtime.VelocimacroFactory:385
DEBUG - added VM writeJsonException: source=org.apache.velocity.Template@7675c171
2024-11-08 13:12:59,756 org.owasp.dependencycheck.reporting.ReportGenerator:559
DEBUG - pretify json: /opt/atlassian/pipelines/agent/build/./dependency-check-report.json
2024-11-08 13:13:00,768 org.apache.velocity.runtime.RuntimeInstance:272
DEBUG - Initializing Velocity, Calling init()...
2024-11-08 13:13:00,768 org.apache.velocity.runtime.RuntimeInstance:276
DEBUG - Starting Apache Velocity v2.3
2024-11-08 13:13:00,770 org.apache.velocity.runtime.RuntimeInstance:522
DEBUG - Default Properties resource: org/apache/velocity/runtime/defaults/velocity.properties
2024-11-08 13:13:00,770 org.apache.velocity.runtime.resource.loader.ResourceLoaderFactory:48
DEBUG - ResourceLoader instantiated: org.apache.velocity.runtime.resource.loader.FileResourceLoader
2024-11-08 13:13:00,770 org.apache.velocity.runtime.resource.loader.FileResourceLoader:84
DEBUG - FileResourceLoader: adding path '.'
2024-11-08 13:13:00,771 org.apache.velocity.runtime.resource.ResourceCacheImpl:119
DEBUG - initialized (class org.apache.velocity.runtime.resource.ResourceCacheImpl) with class java.util.Collections$SynchronizedMap cache map.
2024-11-08 13:13:00,771 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Stop
2024-11-08 13:13:00,771 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Define
2024-11-08 13:13:00,771 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Break
2024-11-08 13:13:00,771 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Evaluate
2024-11-08 13:13:00,771 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Macro
2024-11-08 13:13:00,771 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Parse
2024-11-08 13:13:00,771 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Include
2024-11-08 13:13:00,771 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Foreach
2024-11-08 13:13:00,772 org.apache.velocity.runtime.ParserPoolImpl:57
DEBUG - Created '20' parsers.
2024-11-08 13:13:00,773 org.apache.velocity.runtime.VelocimacroFactory:152
DEBUG - "velocimacro.library.path" is not set. Trying default library: velocimacros.vtl
2024-11-08 13:13:00,773 org.apache.velocity.runtime.VelocimacroFactory:162
DEBUG - Default library velocimacros.vtl not found. Trying old default library: VM_global_library.vm
2024-11-08 13:13:00,773 org.apache.velocity.runtime.VelocimacroFactory:169
DEBUG - Old default library VM_global_library.vm not found.
2024-11-08 13:13:00,773 org.apache.velocity.runtime.VelocimacroFactory:253
DEBUG - allowInline = true: VMs can be defined inline in templates
2024-11-08 13:13:00,773 org.apache.velocity.runtime.VelocimacroFactory:274
DEBUG - allowInlineToOverride = false: VMs defined inline may NOT replace previous VM definitions
2024-11-08 13:13:00,773 org.apache.velocity.runtime.VelocimacroFactory:297
DEBUG - allowInlineLocal = false: VMs defined inline will be global in scope if allowed.
2024-11-08 13:13:00,773 org.apache.velocity.runtime.VelocimacroFactory:315
DEBUG - autoload off: VM system will not automatically reload global library macros
2024-11-08 13:13:00,773 org.owasp.dependencycheck.reporting.ReportGenerator:358
INFO - Writing HTML report to: /opt/atlassian/pipelines/agent/build/./dependency-check-report.html
2024-11-08 13:13:00,851 org.apache.velocity.runtime.VelocimacroFactory:385
DEBUG - added VM writeHtmlException: source=org.apache.velocity.Template@40df6090
2024-11-08 13:13:00,958 org.owasp.dependencycheck.data.nvdcve.CveDB:312
DEBUG - Closing database
2024-11-08 13:13:00,959 org.owasp.dependencycheck.data.nvdcve.CveDB:314
DEBUG - Cache cleared
2024-11-08 13:13:00,959 org.owasp.dependencycheck.data.nvdcve.CveDB:317
DEBUG - Connection closed
2024-11-08 13:13:00,959 org.owasp.dependencycheck.data.nvdcve.CveDB:323
DEBUG - Resources released
2024-11-08 13:13:00,959 org.owasp.dependencycheck.data.nvdcve.DriverLoader:57
DEBUG - Begin deregister driver
2024-11-08 13:13:00,960 org.owasp.dependencycheck.data.nvdcve.DriverLoader:59
DEBUG - End deregister driver
2024-11-08 13:13:00,966 org.owasp.dependencycheck.utils.Settings:890
DEBUG - Deleting ALL temporary files from `/tmp/dctemp87909781-55f9-4230-ab6c-6eb225e70efd`
2024-11-08 13:13:00,996 org.owasp.dependencycheck.App:90
DEBUG - Exit code: 0
Appreciate any advice, thank you!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
waiting PR (not by me): https://bitbucket.org/atlassian/bitbucket-dependency-scanner/pull-requests/6
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Max H @Tomáš Kováčik @iub fun @xavi
The new version with report fix is released bitbucket-dependency-scanner pipe:
atlassian/bitbucket-dependency-scanner:0.1.4
Also, NVD records database updated up to the current date.
Thank you all for your feedback!
It would be nice if you could share your feature request / feedback about the bitbucket-dependency-scanner pipe and the source of how you learned about the pipe.
Best regards,
Oleksandr Kyrdan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@xavi Thanks for your feedback!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@Oleksandr Kyrdanit is working also, here is where I find it out: https://bitbucket.org/bitbucket/product/features/pipelines/integrations?category=security
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
 
 
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.