Questions regarding black duck vulnerability plugin
65 views
Skip to first unread message
Duminda Ekanayake
Dec 16, 2015, 4:06:51 AM12/16/15
to Black Duck Vulnerability Report
Hi , Thanks for this plugin I installed this with our Jenkins and it is working without any issue . I have few question regarding the plugin
(1) The plugin it is limited to scan only 200 components, what happens when a project has more than 200 components ? are you planning to alter this limit ?
(2) Our company has purchased the Black Duck suite and it is used to analyze projects , is it possible for me to integrate the plug in with that.
Does the suite has a commercial version of the same plugin . I saw there is a Jenkins plugin for Protex but I think it analyze only license violations, or does that analyze security violations too ?
Thanks for your time , it is a great plugin.
Regards!
Duminda
(1) The plugin it is limited to scan only 200 components, what happens when a project has more than 200 components ? are you planning to alter this limit ?
(2) Our company has purchased the Black Duck suite and it is used to analyze projects , is it possible for me to integrate the plug in with that.
Does the suite has a commercial version of the same plugin . I saw there is a Jenkins plugin for Protex but I think it analyze only license violations, or does that analyze security violations too ?
Thanks for your time , it is a great plugin.
Regards!
Duminda
Kaj Kandler
Dec 16, 2015, 1:48:35 PM12/16/15
to Black Duck Vulnerability Report
Hi Duminda,
great you like the plugin. Beyond 200 dependent components we recommend you talk to our sales reps and purchase our products ;-). There you find no limit and also more detailed information about the security vulnerabilities that your application faces.
Well, apparently your company already became a customer of the Black Duck Suite. In the Black Duck suite we offer two Jenkins-CI plugins:
* To automate the (source) code scanning with Protex as part of your build (pipeline) in Jenkins. You are correct Protex does not include references to Vulnerabilities, it also does scan only the code you present to it (in a folder). In case of a maven build the dependencies are outside of that build folder (in your shared .m2 repo (cache)
* To automate Code Center our component governance offering, there is a second commercial plugin for Jenkins-CI. It does essentially the same thing as this one, listen to a Maven/Gradle build, compare it against the our KB for vulnerability information. The main differences are that Code Center will catalog your "Bill of Materials" permanently for the build target (called in Application in Code Center) and runs your component requests through a workflow for approval and the ability to stop builds if they are disapproved (i.e. for reason of being vulnerable, ...)
I'd suggest to contact your BD Sales Engineer and clarify if your are using Code Center and how to get the Code Center plugin for Jenkins
Kind regardsKaj
great you like the plugin. Beyond 200 dependent components we recommend you talk to our sales reps and purchase our products ;-). There you find no limit and also more detailed information about the security vulnerabilities that your application faces.
Well, apparently your company already became a customer of the Black Duck Suite. In the Black Duck suite we offer two Jenkins-CI plugins:
* To automate the (source) code scanning with Protex as part of your build (pipeline) in Jenkins. You are correct Protex does not include references to Vulnerabilities, it also does scan only the code you present to it (in a folder). In case of a maven build the dependencies are outside of that build folder (in your shared .m2 repo (cache)
* To automate Code Center our component governance offering, there is a second commercial plugin for Jenkins-CI. It does essentially the same thing as this one, listen to a Maven/Gradle build, compare it against the our KB for vulnerability information. The main differences are that Code Center will catalog your "Bill of Materials" permanently for the build target (called in Application in Code Center) and runs your component requests through a workflow for approval and the ability to stop builds if they are disapproved (i.e. for reason of being vulnerable, ...)
I'd suggest to contact your BD Sales Engineer and clarify if your are using Code Center and how to get the Code Center plugin for Jenkins
Kind regardsKaj
Reply all
Reply to author
Forward
0 new messages