Amit,
You have a couple options…
If your deliverable is a war/ear (or zip with all dependencies), then you could simply scan the deliverable using the Jenkins plugin. The Jenkins plugin (builder step) has roughly the same functionality as the Dependency-Check command line utility. Like the CLI, it doesn’t know (or care) about build systems. It’s only function is to scan a file or directory (and all subs of that directory). So if your deliverable is a war/ear, you could use the Jenkins plugin to scan that one file. I would not recommend scanning uber jars because they typically have a lot of useful metadata removed from them, thus increasing the chances of false negatives.
Since you’re using Maven (and if you’re not outputting a war/ear) you could use the Dependency-Check Maven plugin. It’s fully integrated with Maven 3 and also contains aggregate functions which are super useful in multi-module projects.
Regardless of how you end up scanning (via CLI, Jenkins, Maven, etc), you should end up with an XML report - dependency-check-report.xml. This file is what the Jenkins publisher steps reads, processes, and records to visualize vulnerability information, put the build in warning or failed states if new vulns are discovered, and maintains vulnerability history across all the builds so it can track trends. You should always use the publisher step.
So to answer your questions…
1) After installation while creating a Job what settings are required. I am creating a Maven job.
[SS] By default, no additional configuration is required. You can simply use the builder step or publisher step as is by adding it to an existing job. There are certainly recommendations in terms of configuration options, but the Jenkins plugin defaults to a ‘it just works’ state.
2) Should I use Publish dependency check (Post Build) option ?
[SS] Always use the publisher regardless of how dependency-check-report.xml was generated.
3) Do I need to change my pom.xml and add Dependency check plugin in it?