Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not use inline styles, scripts and image in dependency-check-report.html due to CSP #6576

Open
robertoschwald opened this issue Apr 11, 2024 · 7 comments
Open

Do not use inline styles, scripts and image in dependency-check-report.html due to CSP #6576

robertoschwald opened this issue Apr 11, 2024 · 7 comments
Labels
enhancement

Comments

@robertoschwald
Copy link

robertoschwald commented Apr 11, 2024
edited

Currently, the Gradle generated dependency-check-report.html holds inline-styles and scripts.
This is blocked by CSP if you serve the file by a server, like via Jenkins publishHTML.

The only way to get the page working currently is to lower CSP by

style-src 'self' 'unsafe-inline' and for script-src (this is strongly disscuraged)

Better is to externalize the styles, scripts and images into separate files and reference in dependency-check-report.html

Only possible way is to download the report html to get it working.
@robertoschwald robertoschwald changed the title Do not use inline-styles in dependency-check-report.html due to CSP Do not use inline styles in dependency-check-report.html due to CSP Apr 11, 2024
@robertoschwald robertoschwald changed the title Do not use inline styles in dependency-check-report.html due to CSP Do not use inline styles, scripts and image in dependency-check-report.html due to CSP Apr 11, 2024
@aikebah
Copy link
Collaborator

aikebah commented Apr 12, 2024

For your purpose I think it would suffice to switch your setup to use the report type JENKINS instead of report type HTML, which was added in response to #5039

@robertoschwald
Copy link
Author

Unfortunately, not really. The inline-styles are still blocked by CSP. Cleanest solution would be to split JS and css into seperate files in JENKINS type report, so we can publish them with the html page.

@jeremylong
Copy link
Owner

The purpose of having it all bundled is to have a single file that is completely contained so that it can easily be viewed offline. Regarding the JENKINS report - we accept PRs.

@LorenDorez
Copy link

What about pushing the js and css to a CDN and then linking to that in the HTML?

This also impact the SonarQube plugin/extension. With the CDN files we can then request SonarSource to add to their CSP header?

Or maybe a new version output for SQ that doesn't use any inline js for hiding/expanding sections and just show them all by default?

@LorenDorez
Copy link

I see a special html with no JS was added for Jenkins can we possibly expose that via the Azure plugin as I don't have that as an option in the dropdown

@aikebah
Copy link
Collaborator

aikebah commented May 30, 2024

@LorenDorez That would be something to raise with https://github.com/dependency-check/azuredevops
(I assume that's the Azure plugin you're talking about)

but by picking 'ALL' as the format in that plugin should, among others, also create the Jenkins report as an output format from your scan

@LorenDorez
Copy link

I was wanting to avoid the extra overhead of all since I didn't need all formats. I'll post a issue on the azure one

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jeremylong @robertoschwald @aikebah @LorenDorez