Jenkins CVE findings differ from maven plugin

24 views
Skip to first unread message

Natalie Erdmann

unread,
Nov 14, 2017, 9:25:48 AM11/14/17
to dependen...@googlegroups.com

Hi,

 

we are currently investigating whether to use the OWASP maven plugin or the Jenkins plugin and created a test setup with some old libraries.

When running mvn dependency-check:check on that project we get 13 CVEs, with Jenkins only finds 4 CVEs. I currently disabled the Central Analyzer in both configurations.

Here: https://github.com/jeremylong/DependencyCheck/issues/957 it says that you “can disable the central analyzer without any adverse affects” if you use maven plugin, but what about the Jenkins plugin? Is that the reason why multiple CVEs were not found in Jenkins?

 

Maven plugin configuration:

<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>3.0.1</version>
<configuration>
  <cveValidForHours>12</cveValidForHours>
  <failBuildOnCVSS>1</failBuildOnCVSS>
  <failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
  <format>HTML</format>
  <centralAnalyzerEnabled>false</centralAnalyzerEnabled>
</configuration>
</plugin>

 

Jenkins plugin configuration is default except the disabled Central Analyzer and two enabled HTML report generations.

 

Does anyone has an idea?

Thanks in advance.

Natalie Erdmann

Steve Springett

unread,
Nov 14, 2017, 11:11:51 AM11/14/17
to dependen...@googlegroups.com
If you have a Maven build, you should always use the Maven plugin. It will deliver more accurate results.  The Jenkins plugin does two things 1) performs scans in a similar way that the command line utility does, and 2) publishes results to the Jenkins console.

Maven builds should use the Maven plugin to scan and create both the HTML and XML reports. The Jenkins plugin should then be used to publish the results to the console. 


— Steve
--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Natalie Erdmann

unread,
Nov 16, 2017, 4:09:47 AM11/16/17
to Steve Springett, dependen...@googlegroups.com

Ok, thanks for your advice.

Natalie

Reply all
Reply to author
Forward
0 new messages