A vulnerability found using Maven is not found using Jenkins.

[JoseLuis Diaz]

Hi,

I use the Dependency-Check Maven plugin with the aggregate goal in a Maven multi-module project.

I also use the Dependency-Check Jenkins plugin pointing to the project folder.

Both use the same Dependency-Check v1.3.6.

Both generate an html report with different results because the Jenkins plugin scans files and the Maven plugin works with pom.xml's information.

So they don't analyze the same group of files. Since Jenkins analyzes more files I already expected to find more vulnerabilities using Jenkins.

But there are some vulnerable dependencies found using Maven plugin that are not found using Jenkins plugin.

Example:

Maven finds this vulnerable dependency:

blazeds-common-3.2.0.3978.jar cpe:/a:adobe:blazeds:3.2.0.3978 com.adobe.blazeds:blazeds-common:3.2.0.3978 High 2 LOW 14

And Jenkins does not show blazeds-common-3.2.0.3978.jar as a vulnerable dependency although it can be found in the project folders.

How can be this possible? Thank you,

[Steve Springett]

The Jenkins plugin can 1) perform scans and 2) publish results, so you can use the Maven plugin to generate results and the Jenkins plugin to publish those results.

However, if you do use the Jenkins plugin to perform scans, it will operate nearly identical to the command line utility.

Does the output from the Dependency-Check CLI match that of the Jenkins scan results? I would expect them to be nearly identical assuming the configurations for both scanners are identical.

—Steve

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.