Exclude directory

[AntonOellerer]

Hey,

Describe the bug
I am unsuccessfully trying to exclude a directory from a github action analysis:

The directory layout of the project is so that the top level directory containes src/ and examples/, with examples further containing a directory in which a package-lock.json lies.
You can take a look at the layout here

Version of dependency-check used
dependency-check/Dependency-Check_Action@main
I filed an issue there, but was redirected here

Log file
log file

To Reproduce
I set up the action as follows:

  dependency-check:
    name: run owasp dependency check
    runs-on: ubuntu-20.04
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-python@v4
        with:
          python-version-file: '.python-version'
          cache: 'pip'
          cache-dependency-path: "pyproject.toml"
      - name: Install pypa/build
        run: >-
          python -m
          pip install
          build
          --user
      - name: Run owasp dependency check
        uses: dependency-check/Dependency-Check_Action@main
        with:
          project: 's3-metadata-tagger'
          path: '.'
          format: 'HTML'    
          args: >
            --failOnCVSS 6
            --exclude '**/examples/*'

Expected behavior
The examples directory gets excluded from the analysis, no vulnerabilities are reported.

Additional context
The analysis fails due to vulnerable dependencies in the examples directory

[jeremylong]

See issue #4995 - myproject.toml is still not supported. I'll look at resolving that shortly. However, to answer your immediate question you should use:

          args: >
            --failOnCVSS 6
            --exclude '**/examples/**'
            --enableExperimental

The exclude uses ant style globbing and we are matching against files not directories - so two asterisks are required.

[AntonOellerer]

Hey, thank you for the quick response!
Unfortunately, this did not work either, I attached the log of the analysis
6_Run owasp dependency check.txt

[jeremylong]

Can you add:

          args: >
            --failOnCVSS 6
            --exclude '**/examples/**'
            --enableExperimental
            --log odc.log
      - name: Archive ODC log
        id: archive-logs
        if: always()
        uses: actions/upload-artifact@v3
        with:
          name: odc-logs
          retention-days: 7
          path: odc.log

Then download and provide the log?

[AntonOellerer]

odc.log

Here :)

[jeremylong]

I am unable to reproduce this locally. If I run:

dependency-check.sh --scan . --enableExperimental --failOnCVSS 8 --exclude "**/examples/" --exclude "**/.git/"  

Or

dependency-check.sh --scan . --enableExperimental --failOnCVSS 8 --exclude "**/examples/**" --exclude "**/.git/**"  

The examples are correctly excluded. The action is doing the same thing - and you can see this in the provided logs:

2023-01-30 14:00:02,398 org.owasp.dependencycheck.App:372
DEBUG - Include: **/*
2023-01-30 14:00:02,401 org.owasp.dependencycheck.App:382
DEBUG - Exclude: '**/examples/**'

But in the action the examples directory is being included in the scan:

DEBUG - Found file /github/workspace/examples/serverless-triggered/package-lock.json
2023-01-30 14:00:02,435 org.owasp.dependencycheck.App:390
DEBUG - Found file /github/workspace/examples/serverless-triggered/package.json
2023-01-30 14:00:02,435 org.owasp.dependencycheck.App:390
DEBUG - Found file /github/workspace/examples/serverless-triggered/requirements.txt
2023-01-30 14:00:02,435 org.owasp.dependencycheck.App:390
DEBUG - Found file /github/workspace/examples/serverless-triggered/serverless.yml

I'm at a bit of a loss on this one...

[AntonOellerer]

Glad to hear I am not the only one 😅
Strangely, the same also happens with the trivy check (aquasecurity/trivy-action#194)

[AntonOellerer]

The solution was discovered dependency-check/Dependency-Check_Action#20 (comment), the problem were the quotes around the **/examples/**, thank you for the help!