No vulnerabilities reported since 02/22

[Kalyan K]

Hello All,

It's been almost a month since OWASP dependency check plugin reported any vulnerabilities. I'm not sure if something's wrong as we no longer see any issues reported while there was no drastic action taken to handle reported issues prior to 02/22 from our team.

We're on Jenkins mainline v1.641 and using OWASP plugin version 1.3.5.

Please suggest.

Thanks,

Kalyan

[Steve Springett]

Have you tried wiping the dependency-check-data directory? By default, it’s located in the project workspace, but can be shared among multiple jobs as well. Try deleting it and recreating it. If shared, it’s essential that autoupdate is disabled on every job otherwise it will lead to corruption.

A good practice is to disable the autoupdate feature on every dependency-check job. Then have a single job that updates the shared data directory and blocks other dependency-check jobs from running.

—Steve

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Kalyan K]

In our case, we do not share the workspace with other jobs. I tried emptying the jenkins project workspace and re-trigger the build. However, I still do not see any vulnerabilities reported. 

I'd give a try by disabling autoupdate feature for the job and see if that works.

Thanks Steve.

Thanks,

Kalyan

[Jeremy Long]

One thing to look at would be to toggle the "show all dependencies" in the report. Is it still scanning the dependencies correctly (i.e. are they all their)?

--Jeremy

[Kalyan K]

I think I messed up by posting in wrong section. I enabled Jenkins log and captured Owasp dependency log and attached it for reference. Please help us addressing this issue.

[Jeremy Long]

Kalyan,

Do you know what vulnerabilities were previously reported? It appears what you are scanning only includes the gradle wrapper which indicates that no project dependencies have been moved into the workspace. Is the dependency-check scan happening before the project build? Another question - is this an Android project? 

--Jeremy

[Kalyan K]

Hi Jeremy,

There were 100+ high/low priority vulnerabilities reported before everything stopped reporting. Jenkins project I created does not perform any other build step apart from cloning the repo into workspace to go through OWASP scan. This is a java application and leverages gradle wrapper to build artifacts. I'm not sure what changed all of a sudden. However, I could see connection timeout issue in OWASP jenkins log attached. Could not make much out of it as I was able to access NIST urls specified.

Thanks,

Kalyan

[Jeremy Long]

The connection.timeout exception in the logs can be ignored; I've updated the message in the log file. All I can tell is that dependency-check is not scanning a directory that contains any JAR files (with the exception of the gradle wrapper). Something else must have changed in your build environment.

--Jeremy

[Kalyan K]

I did not specify any directory path to scan as I expected it to scan my projects' workspace. Not sure if there's an alternative way to scan the project workspace. I did try specifying ${WORKSPACE} path as well. I'll further look into this issue.

Thanks Jeremy.

Thanks,

Kalyan

[Bernd Eckenfels]

Hello,

 

(As I mentioned before,) if you do not run the build which downloads dependencies and scans the produced artifacts the scanner has nothing to scan. You need to run it at the end of a build or at least with a workspace which is not cleared.

 

Gruss

Bernd

 

Gruss
Bernd
--
http://bernd.eckenfels.net
From Win 10 Mobile

[Kalyan K]

I agree Bernd. I overlooked your comment, and noticed that as soon as I added gradle build task for the project, I was able to generate the reports without any issue. I think I learnt this lesson in a hard way. Thanks for your help and I apologize for the confusion.

I believe this issue can be closed.

Thanks,

Kalyan