Hi,
we are currently investigating whether to use the OWASP maven plugin or the Jenkins plugin and created a test setup with some old libraries.
When running mvn dependency-check:check on that project we get 13 CVEs, with Jenkins only finds 4 CVEs. I currently disabled the Central Analyzer in both configurations.
Here: https://github.com/jeremylong/DependencyCheck/issues/957 it says that you “can disable the central analyzer without any adverse affects” if you use maven plugin, but what about the Jenkins plugin? Is that the reason why multiple CVEs were not found in Jenkins?
Maven plugin configuration:
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>3.0.1</version>
<configuration>
<cveValidForHours>12</cveValidForHours>
<failBuildOnCVSS>1</failBuildOnCVSS>
<failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
<format>HTML</format>
<centralAnalyzerEnabled>false</centralAnalyzerEnabled>
</configuration>
</plugin>
Jenkins plugin configuration is default except the disabled Central Analyzer and two enabled HTML report generations.
Does anyone has an idea?
Thanks in advance.
Natalie Erdmann
--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Ok, thanks for your advice.
Natalie