[JIRA] (JENKINS-54838) OWASP Dependency-Check plugin loses trace of bcprov-jdk15on.jar vulnerabilities

segarrra@gmail.com (JIRA)

unread,

Nov 23, 2018, 9:11:02 AM11/23/18

to jenkinsc...@googlegroups.com

Marc Peña created an issue

Jenkins /

JENKINS-54838

OWASP Dependency-Check plugin loses trace of bcprov-jdk15on.jar vulnerabilities

Issue Type:	Bug
Assignee:	Unassigned
Components:	dependency-check-jenkins-plugin
Created:	2018-11-23 14:10
Labels:	plugin jenkins dependency-check
Priority:	Minor
Reporter:	Marc Peña

We're using the Jenkins plugin to analyze our software and are experimenting a buggy behavior. Every time we do a scan the plugin says that we got:

And the problem is that all of them are the same vulnerabilities, scan after scan, related to the Bouncy Castle provider: bcprov-jdk15on.jar

Add Comment

This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

segarrra@gmail.com (JIRA)

unread,

Nov 23, 2018, 9:11:02 AM11/23/18

to jenkinsc...@googlegroups.com

Marc Peña updated an issue

Jenkins /

JENKINS-54838

OWASP Dependency-Check plugin loses trace of bcprov-jdk15on.jar vulnerabilities

Change By:	Marc Peña

We're using the Jenkins plugin to analyze our software and are experimenting a buggy behavior. Every time we do a scan the plugin says that we got:

{ { code:java}
12 new vulnerabilities
12 Fixed vulnerabilities {code } }

And the problem is that all of them are the same vulnerabilities, scan after scan, related to the Bouncy Castle provider: *bcprov-jdk15on.jar*

*!https://user-images.githubusercontent.com/3256953/48907536-0e604600-ee68-11e8-86a3-c95710e01986.png!*

*!https://user-images.githubusercontent.com/3256953/48907421-a9a4eb80-ee67-11e8-9e90-3ea378a70852.png!*

Add Comment

steve.springett@owasp.org (JIRA)

unread,

Nov 23, 2018, 4:31:02 PM11/23/18

to jenkinsc...@googlegroups.com

Steve Springett commented on

JENKINS-54838

Re: OWASP Dependency-Check plugin loses trace of bcprov-jdk15on.jar vulnerabilities

What version of the Dependency-Check Jenkins plugin are you using?

What version of analysis-core (Static Code Analysis Plugins) is installed?

Do you have the warnings or warnings-ng plugin installed? If so, what version?

Add Comment

steve.springett@owasp.org (JIRA)

unread,

Nov 23, 2018, 4:33:01 PM11/23/18

to jenkinsc...@googlegroups.com

Steve Springett edited a comment on

JENKINS-54838

Re: OWASP Dependency-Check plugin loses trace of bcprov-jdk15on.jar vulnerabilities

What version of the Dependency-Check Jenkins plugin are you using?

What version of analysis-core (Static Code Analysis Plugins) is installed?

Do you have the warnings or warnings-ng plugin installed? If so, what version?

Did you use the Dependency-Check Maven plugin, CLI, or the Jenkins plugin to produce dependency-check-result.xml?

Add Comment

steve.springett@owasp.org (JIRA)

unread,

Nov 23, 2018, 4:34:02 PM11/23/18

to jenkinsc...@googlegroups.com

Steve Springett assigned an issue to Steve Springett

Jenkins /

JENKINS-54838

OWASP Dependency-Check plugin loses trace of bcprov-jdk15on.jar vulnerabilities

Change By:	Steve Springett
Assignee:	Steve Springett

Add Comment

segarrra@gmail.com (JIRA)

unread,

Nov 24, 2018, 7:38:02 PM11/24/18

to jenkinsc...@googlegroups.com

Marc P updated an issue

Jenkins /

JENKINS-54838

OWASP Dependency-Check plugin loses trace of bcprov-jdk15on.jar vulnerabilities

Change By:	Marc P

We're using the Dependency-Check Jenkins plugin *version 3.3.4* to analyze our software and are experimenting a buggy behavior. Every time we do a scan the plugin says that we got:

{code:java}
12 new vulnerabilities
12 Fixed vulnerabilities{code}
And the problem is that all of them are the same vulnerabilities, scan after scan, related to the Bouncy Castle provider: *bcprov-jdk15on.jar*

*!https://user-images.githubusercontent.com/3256953/48907536-0e604600-ee68-11e8-86a3-c95710e01986.png!*

*!https://user-images.githubusercontent.com/3256953/48907421-a9a4eb80-ee67-11e8-9e90-3ea378a70852.png!*