Integrating with Jenkins

[Amit Agarwal]

Dear Jeremy, 

Could you share how to go about integrate dependency check with Jenkins,

What are the steps , as we have Jenkins set up.

Thanks,

Amit

[Steve Springett]

Amit,

There are several options when using the Jenkins plugin. First, the Jenkins plugin is divided into two separate parts. There’s a build step that can be used to scan a directory structure. The build step works much like the Dependency-Check command line interface, with many of the same options. Scans can be performed by using the Dependency-Check Ant task, Maven plugin, CLI, or the build step from the Jenkins plugin. All of these methods produce a dependency-check.xml file.

The second part of the Jenkins plugin is the publisher. A publisher step can be added to a build configuration to visualize the results. If you’ve seen the Findbugs or PMD Jenkins plugin, you’ll feel right at home - it’s based on the same library. The publisher step parses dependency-check.xml and records the state of the analysis over time. This allows you to do things like break the build if it goes over a threshold, or get notified whenever a new vulnerability is discovered. You’ll also be able to visualize the progress the team is making in remediating the findings.

The Jenkins plugin is available from the official Jenkins plugin repository and is installed like any other Jenkins plugin.

For more details, refer to https://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin

—Steve

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Amit Agarwal]

Thanks Steve for the reply, will go through it , and get back for further queries.

[melv...@csit.gov.sg]

Trying this out now. Does the build plugin from Jenkins scan WAR or EAR by default? Can only set it to scan folders apparently.

If so, do we have to run the same command on the 'Execute shell' portion of Jenkins?

This email is intended only for the named addressee(s) and may contain confidential and/or privileged information. If you are not the named addressee (or have received this e-mail in error), please notify the sender immediately. The unauthorised use, disclosure, distribution or copying of the contents in this e-mail is prohibited.

Thank you

[Steve Springett]

Yes, the Jenkins plugin will scan all archives (zip, war, ear, apk, etc) using the ArchiveAnalyzer by default. Simply specify the directory where the war/ear resides. 

There is an option to disable it in the Jenkins global configuration, so make sure this isn't the case.

--Steve

[melv...@csit.gov.sg]

Alright, by default it does not seem to scan all archives, and this works well in CLI though.

Will take a look at the jenkins global configuration.

If anyone else has gone through a similar issue and fixed it, do post it here too guys.

[Shantanu Deshmukh]

Hey Steve,

I have installed the Plugin and I want to use it for my Maven project. Also I already have FindBugs and it is working fine.

Can you please tell about following things.

1. After installation while creating a Job what settings are required. I am creating a Maven job.

2. Should I use Publish dependency check (Post Build) option ?

3. Do I need to change my pom.xml and add Dependency check plugin in it?

[Steve Springett]

Amit,

You have a couple options…

If your deliverable is a war/ear (or zip with all dependencies), then you could simply scan the deliverable using the Jenkins plugin. The Jenkins plugin (builder step) has roughly the same functionality as the Dependency-Check command line utility. Like the CLI, it doesn’t know (or care) about build systems. It’s only function is to scan a file or directory (and all subs of that directory). So if your deliverable is a war/ear, you could use the Jenkins plugin to scan that one file. I would not recommend scanning uber jars because they typically have a lot of useful metadata removed from them, thus increasing the chances of false negatives.

Since you’re using Maven (and if you’re not outputting a war/ear) you could use the Dependency-Check Maven plugin. It’s fully integrated with Maven 3 and also contains aggregate functions which are super useful in multi-module projects.

Regardless of how you end up scanning (via CLI, Jenkins, Maven, etc), you should end up with an XML report - dependency-check-report.xml. This file is what the Jenkins publisher steps reads, processes, and records to visualize vulnerability information, put the build in warning or failed states if new vulns are discovered, and maintains vulnerability history across all the builds so it can track trends. You should always use the publisher step.

So to answer your questions…

1) After installation while creating a Job what settings are required. I am creating a Maven job.

[SS] By default, no additional configuration is required. You can simply use the builder step or publisher step as is by adding it to an existing job. There are certainly recommendations in terms of configuration options, but the Jenkins plugin defaults to a ‘it just works’ state.

2) Should I use Publish dependency check (Post Build) option ?

[SS] Always use the publisher regardless of how dependency-check-report.xml was generated.

3) Do I need to change my pom.xml and add Dependency check plugin in it?

[SS] Only if you want to integrate the Dependency-Check Maven plugin. If you simply want to use the scanning capabilities of the Jenkins (build step) plugin, modifying the pom is not required. Refer to https://jeremylong.github.io/DependencyCheck/dependency-check-maven/ if you choose to use the Maven plugin.

—Steve