Running the dependency-check twice

Dr Paul

unread,

Jul 29, 2015, 2:51:53 AM7/29/15

to Dependency Check

We have a Jenkins master/slave setup where all jobs build run on slaves.

As the dependency check is so slow I decided to add it to the job pipeline SonarQube 5.1.1 jobs.

This job checks out the Java code, uses Maven 3.2.3 and the setVersion plugin to set the version number in the POMs then runs mvn clean install with -Dtest=false required by Sonar.

We then call OWASP Dependency-Check Plugin v1.2.11.1 pointing to the WEB-INF lib directory and the JARs; it runs with all of the defaults.

The analysis report is then published as a post-build task. Then it is archived, the build description modified and then the Sonar task is invoked.

Anyway I triggered this job manually and had the dependency check come back with 2 warnings in some Spring libraries.

I then fiddled around with the Sonar part of the job trying to get the dependency report displayed in Sonar and get it by adding -Dsonar.dependencyCheck.reportPath=${WORKSPACE}/dependency-check-report.xml in the additional properties.

So I then ran the job again expecting to get the same 2 warnings and having them appear in Sonar but was stunned when the Dependency-Check reported that 2 warnings had been fixed. The Subversion repo was on the same revision. The jobs ran at 23-Jul-2015 15:27 then 23-Jul-2015 16:42 AEST so an hour and a quarter between them

Am I missing something here? Is it not idempotent? Or did the dependency database change in that time window?

Thanks

Paul

Jeremy Long

unread,

Jul 29, 2015, 5:28:18 AM7/29/15

to Dr Paul, Dependency Check

Paul,

There could be a few things going on:

1) Depending on the JDK - we believe a bug heisenbug was resolved that caused different results under debug vs. running normally. The new version (1.3) will be released soon which includes a fix for this.

2) The first run may have had access to the Internet and the second run did not? See https://jeremylong.github.io/DependencyCheck/data/index.html

Is there any chance you have the XML or HTML reports from both executions? If you do, can you share them? Or on subsequent runs have the two spring libraries been flagged again?

Next, dependency-check does take a long time to run - the first time. It downloads and caches a copy of the NVD locally. If the tool is run at least once every 7 days the updates are very quick.

--Jeremy

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Dr Paul

unread,

Jul 30, 2015, 2:54:53 AM7/30/15

to Dependency Check, jerem...@gmail.com

Thanks Jeremy.

It must have been the second case.

I added an ENV_VAR for the slave to store the CVE DB location and I now get the same results for subsequent runs and it is much faster.

Now to find out why the SonarQube Jenkins plugin is not passing the sonar.dependencyCheck.reportPath property.

The dependency-check-sonar-plugin is failing with 'Unknow(sic) input path type:null' and after grubbing through the code that property is null even though set as an additional property in Jenkins. It was working previously as there were no issues.