Clarification - "Publish OWASP Dependency-Check results" plugin working

[Piyush Mittal]

I am unable to find documentation explaining how "Publish OWASP Dependency-Check results" Jenkins plugin figure out new & fixed vulnerabilities. If someone can point me to the documentation or explain it's working, that would be great.

As an example, let us assume app has 10 low vulnerabilities, I fixed two of them and introduce two new by adding new vulnerable JAR so that overall count remains same as 10. What will be the plugin output in this case?

[Steve Springett]

I believe the expected behavior of this scenario would be 2 ‘fixed’ issues and 2 ‘new’ issues.

This logic is handled by the analysis-core plugin that the Dependency-Check plugin builds on top of. In the publisher step, the Dependency-Check plugin tells analysis-core what the current issues are, and analysis-core handles everything else.

So in this scenario, if you set a threshold on 1 or more new issues it could put the build in a warning or failed state, even though the total number of issues remain the same.

— Steve

On March 14, 2018 at 12:11:55 AM, Piyush Mittal (piyus...@gmail.com) wrote:

I am unable to find documentation explaining how "Publish OWASP Dependency-Check results" Jenkins plugin figure out new & fixed vulnerabilities. If someone can point me to the documentation or explain it's working, that would be great.

As an example, let us assume app has 10 low vulnerabilities, I fixed two of them and introduce two new by adding new vulnerable JAR so that overall count remains same as 10. What will be the plugin output in this case?

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.