[JIRA] (JENKINS-59869) OWASP Dependency-Check Plugin v5.2.2 declarative pipeline java not recognized

12 views
Skip to first unread message

terryvdgriend@gmail.com (JIRA)

unread,
Oct 21, 2019, 10:33:03 AM10/21/19
to jenkinsc...@googlegroups.com
Terry van der Griend created an issue
 
Jenkins / Bug JENKINS-59869
OWASP Dependency-Check Plugin v5.2.2 declarative pipeline java not recognized
Issue Type: Bug Bug
Assignee: Unassigned
Components: dependency-check-jenkins-plugin
Created: 2019-10-21 14:32
Environment: Windows 2012 Server,
Jenkins 2.190.1,
Maven 3.6.0,
JDK 11.0.1
Priority: Major Major
Reporter: Terry van der Griend

When upgrading the Dependency Check Plugin from version 4 to 5.2.2, we found the following problem.

We are using declarative pipeline scripts to run the Dependency Check Plugin. Formerly with version 4 we could use this setup for running the dependency check.

 

pipeline {
    agent {
        label 'master'
    }
    environment {
        JAVA_HOME = tool 'jdk-11.0.1'
        mvnHome = tool 'apache-maven-3.6.0'
        PATH = "${JAVA_HOME}\\bin;${mvnHome}\\bin;${env.PATH}"
    }
    stages {
        stage('Build sources') {
            steps {
                bat 'mvn clean verify -DskipTests'
            }
        }
        stage('Analyze dependencies') {
            dependencyCheckAnalyzer(outdir: 'Dependency-Check',
                        suppressionFile: 'owasp-suppressions.xml',
                        scanpath: '',
                        datadir: '',
                        hintsFile: '',
                        zipExtensions: '',
                        isAutoupdateDisabled: true,
                        skipOnScmChange: false,
                        skipOnUpstreamChange: false,
                        includeHtmlReports: true,
                        includeVulnReports: true,
                        includeJsonReports: false,
                        includeCsvReports: false)
            }
        }
    }
}

This would run fine and reports were generated. So now with version 5.2.2 we have adjusted our pipeline script to be complaint with the new plugin.

 

pipeline {
    agent {
        label 'master'
    }
    environment {
        JAVA_HOME = tool 'jdk-11.0.1'
        mvnHome = tool 'apache-maven-3.6.0'
        PATH = "${JAVA_HOME}\\bin;${mvnHome}\\bin;${env.PATH}"
    }
    stages {
        stage('Build sources') {
            steps {
                bat 'mvn clean verify -DskipTests'
            }
        }
        stage('Analyze dependencies') {
            steps {
                dependencyCheck(additionalArguments: '''
                    -d D:/OWASP/dependency-check-data
                    --noupdate
                    --suppression backend/owasp-suppressions.xml
                    -o Dependency-Check''',
                    odcInstallation: 'dependency-check-5.2.2')
            }
        }
    }
}

When we run the pipeline with the script mentioned above, we get the following error.
[DependencyCheck] 'java' is not recognized as an internal or external command,
[DependencyCheck] operable program or batch file.
Which makes us suspect that the environment variable aren't passed properly.

 
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo

steve.springett@owasp.org (JIRA)

unread,
Oct 21, 2019, 9:28:02 PM10/21/19
to jenkinsc...@googlegroups.com
Steve Springett commented on Bug JENKINS-59869
 
Re: OWASP Dependency-Check Plugin v5.2.2 declarative pipeline java not recognized

The Jenkins plugin simply calls dependency-check.bat (or .sh). Nothing more. The error contains everything you need to fix it. It's likely a path issue in that java is not in the path. Take a look at bin/dependency-check.bat and see what the script is trying to do.

terryvdgriend@gmail.com (JIRA)

unread,
Oct 22, 2019, 2:50:03 AM10/22/19
to jenkinsc...@googlegroups.com

Hi Steve,

I have added some echo statements in the Jenkinsfile, the mvn.bat and the dependency-check.bat to show the variables on the path.

This is the outcome of the Jenkinsfile echo statement.

D:\Tools\Java\jdk-11.0.1/bin;D:\tools\apache-maven-3.6.0/bin;D:\Tools\Java\jdk-11.0.1/bin;D:\tools\apache-maven-3.6.0/bin;C:\windows\system32;C:\windows;C:\windows\System32\Wbem;C:\windows\System32\WindowsPowerShell\v1.0\;D:\Tools\apache-maven-3.2.5\bin;D:\Tools\gradle-2.7\bin;D:\tools\Git\cmd;C:\Windows\Microsoft.NET\Framework64\v4.0.30319;D:\Tools\nuget;C:\Program Files\Microsoft SQL Server\110\Tools\Binn\;D:\Tools\curl-7.54.0\bin;D:\Tools\NUnit\bin;d:\Tools\docker;D:\Tools\FirefoxPortable;C:\Program Files\Taurus\bin;C:\Program Files\dotnet\

This is the outcome of the mvn.bat echo statement.

D:\Tools\Java\jdk-11.0.1/bin;D:\tools\apache-maven-3.6.0/bin;D:\Tools\Java\jdk-11.0.1/bin;D:\tools\apache-maven-3.6.0/bin;C:\windows\system32;C:\windows;C:\windows\System32\Wbem;C:\windows\System32\WindowsPowerShell\v1.0\;D:\Tools\apache-maven-3.2.5\bin;D:\Tools\gradle-2.7\bin;D:\tools\Git\cmd;C:\Windows\Microsoft.NET\Framework64\v4.0.30319;D:\Tools\nuget;C:\Program Files\Microsoft SQL Server\110\Tools\Binn\;D:\Tools\curl-7.54.0\bin;D:\Tools\NUnit\bin;d:\Tools\docker;D:\Tools\FirefoxPortable;C:\Program Files\Taurus\bin;C:\Program Files\dotnet\

This is the outcome of the dependency-check.bat echo statement.

C:\windows\system32;C:\windows;C:\windows\System32\Wbem;C:\windows\System32\WindowsPowerShell\v1.0\;D:\Tools\apache-maven-3.2.5\bin;D:\Tools\gradle-2.7\bin;D:\tools\Git\cmd;C:\Windows\Microsoft.NET\Framework64\v4.0.30319;D:\Tools\nuget;C:\Program Files\Microsoft SQL Server\110\Tools\Binn\;D:\Tools\curl-7.54.0\bin;D:\Tools\NUnit\bin;d:\Tools\docker;D:\Tools\FirefoxPortable;C:\Program Files\Taurus\bin;C:\Program Files\dotnet\

It seems that the dependency check plugin doesn't not provide the environment variables, which are added in the Jenkinsfile, to the dependency-check.bat

steve.springett@owasp.org (JIRA)

unread,
Oct 22, 2019, 10:43:02 AM10/22/19
to jenkinsc...@googlegroups.com

Not sure. The environment is being passed to the launcher which executes the CLI.

 

https://github.com/jenkinsci/dependency-check-plugin/blob/master/src/main/java/org/jenkinsci/plugins/DependencyCheck/DependencyCheckToolBuilder.java#L151

 

Jenkins bug perhaps? Not sure.

iwan.littel@technolution.nl (JIRA)

unread,
Dec 20, 2019, 5:35:04 AM12/20/19
to jenkinsc...@googlegroups.com

Same problem here. We use multiple Jenkins slaves for our projects, where each one may have a different JAVA_HOME definition. So far we didn't have any issues with other plugins (e.g. jacoco) in our pipeline builds.

For the time being, we created a separate non-pipeline build job dedicated to running Dependency-Check. This isn't ideal however since we need to remember to check it regularly.

 

 

tom.gl@free.fr (JIRA)

unread,
Jan 28, 2020, 4:42:02 PM1/28/20
to jenkinsc...@googlegroups.com

Not sure. The environment is being passed to the launcher which executes the CLI.

Unfortunately, the environment which is passed is not the right one (in a Pipeline, it won't include contributions from build wrappers, or the environment directive of a Declarative Pipeline, etc.). See JENKINS-29144, one has to implement Step rather than SimpleBuildStep to get access to the contextual environment in a Pipeline.
Reply all
Reply to author
Forward
0 new messages