DC report not published in Jenkins or SonarQube

[Kenneth Carey]

Thanks for the help in advance.  I am using Jenkins  to run a Dependency Check analysis for a project that is primarily node.js (javascript) with some python, Web, and XML.  When the build is complete I can see the dependency-check-report.html, dependency-check-report.xml, and dependency-check-vulnerability.html files created in the workspace directory, but do not see the report on the Jenkins project page.

I have the Invoke Dependency-Check analysis build step in place with the Generate optional HTML report box checked as well as the Generate optional vulnerability report (HTML) checkbox checked.  (This is why the reports are being generated I presume)

I have a Post-build Actions step of Publish Dependency-Check results configured with default values other than the "Run Always" checkbox is checked.

What else do I need to change in my configuration to get the report to publish?  Is it possible that that when the report found no dependencies in the code that the report is not published?  Below are the versions of the plugin/Jenkins I am using:

 Jenkins ver. 2.121.1

OWASP Dependency-Check Plugin  3.2.1

Any help is appreciated -  I also am not seeing the report on SonarQube - but will post that question in another topic if the resolution to this one does resolve the other problem as well.

Thanks everyone!

[Kenneth Carey]

Ok - I may get kicked out of the group for my original post.  The report is not posted on the project page - it is posted on the build results page.  It clearly states there were no vulnerabilities found and I presume once again since no vulnerabilities were found there is no link to the report, just the icon and the bullet item summary.

However - in SonarQube when I click the more-->OWASP Dependency-Check link from the project page I get a blank screen.  I presume this is due to the fact there are no vulnerabilities found (and no dependencies), but shouldn't this link display dependency-check-report.html that was generated?  That file is not blank, it at least has the report headers etc.  It would be nice to see something similar in SonarQube - something to indicate no vulnerabilities were found - like the contents of the  dependency-check-report.html. 

Thanks for your patience and help.

[Steve Springett]

Kenneth,

If you have the trend graph enabled in Jenkins, it will also show up with a 0 count. The plugin is built on Analysis Core - the same framework as the PMD, FindBugs, CheckStyle, and Twistlock plugins are built on. If you see UI functionality available in one of those plugins that are not available in the Dependency-Check plugin, complete an enhancement request https://issues.jenkins-ci.org/ and I’ll evaluate.

For SonarQube, there’s not a whole lot plugin developers can do. With the past few major SQ releases, fewer customizations are available than in previous releases making the platform less and less desirable for measuring software quality issues that are not the DIRECT result of code-level flaws. The plugin simply tells SQ how many issues were found. From there, it’s up to SQ to display them (or present the fact that no issues were found). If the default behavior is not desired, you’ll have to join the SQ mailing list and request an enhancement (their Jira instance doesn’t allow the community to contribute). Also, If you filter on the Dependency-Check issues in the ‘measures’ tab, you’ll see the number of issues and clicking on one would present a list of all the issues. You might want to try using a dependency-check report containing a few vulns just for testing purposes. 

— Steve

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.