Jenkins / SonarQube / Dependency Check / Java

[milanche]

I have SonarQube plugin for Jenkins which I execute for my Java project.

Which is best way to integrate Dependency Check with them? Should I install Dependency Check plugin for Jenkins or should I invoke Dependency Check through the Maven plugin or do I need both?

I wish there would be some tutorial on that.

[Anvesh Vagiri]

Hey,

I had a similar question and the answer I received was that the maven plugin results are more accurate. 

However consider this, lets suppose you have an application that is built from multiple components and finally deployed in one host.

Approach 1(Jenkins Build) :- Scan the final deployed host via jenkins plugin, give it the directory of the jars , typically something like WEB-INF/lib/

All the jars are usually available in one place or just few other folders which you need to specify.

Finally, You will get one report.

Approach 2(Maven Approach):- Need to run maven dependency scan for each component , get its report.

So now you have 'n' reports for each component, which you need to analyse one by one.

I have completed both the approaches , and i believe finding and triaging issue while at maven build ensures shifting security left. 

Thanks

Anvesh

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dependency-check/ef4c1d77-d9c3-487c-8f06-a60ca02b8baan%40googlegroups.com.

[Anvesh Vagiri]

Sorry i meant a total of n reports as there are n components.