Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can you elaborate why the extension needs Build execute permissions? #129

Open
Zacharias3D opened this issue Jul 18, 2023 · 2 comments
Open

Can you elaborate why the extension needs Build execute permissions? #129

Zacharias3D opened this issue Jul 18, 2023 · 2 comments

Comments

@Zacharias3D
Copy link

image

Hi there,

we've noticed that the DevOps-extension needs "Build (read and execute)" permissions and we where wondering why the execute is needed.

Can someone elaborate?

Thanks!
@HaGGi13
Copy link

HaGGi13 commented Aug 14, 2023

Hello,

AFAIK and I saw in the code, the extension uploads the analysis result and if enabled log file (verbose logging) to the build artifacts. You'll find the code in following snipped in line 218 and 2023:

azuredevops/src/Tasks/dependency-check-build-task/dependency-check-build-task.ts

Lines 208 to 224 in c4e46d0

if (processArtifacts) {
logDebug('Attachments:');
let reports = tl.findMatch(reportsDirectory, '**/*.*');
reports.forEach(filePath => {
let fileName = path.basename(filePath).replace('.', '%2E');
let fileExt = path.extname(filePath);
logDebug(`Attachment name: ${fileName}`);
logDebug(`Attachment path: ${filePath}`);
logDebug(`Attachment type: ${fileExt}`);
console.log(`##vso[task.addattachment type=dependencycheck-artifact;name=${fileName};]${filePath}`);
console.log(`##vso[artifact.upload containerfolder=dependency-check;artifactname=Dependency Check;]${filePath}`);
})
// Upload logs
if (enableVerbose)
console.log(`##vso[build.uploadlog]${logFile}`);
}

As you'll find in the MS Docs > Supported scopes, this can be done with scope vso.build_execute that was defined for this extension.

BR, CW

@Zacharias3D
Copy link
Author

Hi @HaGGi13!

Thanks for your answer. I don't agree that publishing artifacts need the "Build & Execute"-permission.
imo the Microsoft Doc states that the permission is needed to access already built artifacts but I might be wrong here.

Still, if your statement is correct, the "Build"-permission should suffice.

I would advise the developers of the extension to test the extension w/o granting the "Build & Execute"-permissions and see whether all the features are still working properly.

The reason I think this is so important is that CVE-checks will mostly be used in pipelines by companies, which have to comply to certain security guidelines.
Granting a DevOps-extension, which does not have the greatest popularity or developer count and updates itself more or less regularly, the "Build & Execute"-permission, might seem very critical to those companies.

Anyways, thanks a lot for your response!
I just think that you need no permissions to publish pipeline artifacts from a extension.

Greetings,
Zacharias3D

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@HaGGi13 @Zacharias3D