Issue with publishing anaylsis results in Jenkins job

[Piyush Mittal]

Hello,

Jenkins Job Scenario:

a) Execute shell used to call Dependency-Check Gradle plugin on gradle project. For some reasons (on our part), this plugin failed to run and reports are not generated.

b) As a post-build action, job is configured to publish OWASP Dependency-Check analysis results and marked build as unstable if any new high vulnerability is found

Now two issues here while publishing analysis results:

1. Reports are not generated in step (a) but still analysis is performed. This leads to vulnerability graph becoming zero.

2. Subsequent builds were step (a) is successful now marks build as unstable because baseline vulnerability image changes to zero or no vulnerabilities

3. file path doesn't accept passing variables like $PROJECT_ROOT

Thanks for your help in advance!

 

[Steve Springett]

All Jenkins jobs have an option on how to process post-build steps. Ensure that 'Run only if build succeeds' is selected. This will prevent the Dependency-Check publisher from attempting to publish results that don't exist.

The DC Jenkins plugin is built on top of analysis-core, also used by the PMD, FindBugs, and Checkstyle plugins. These plugins do not support variables. It's documented to use ant-style patterns. 

[Piyush Mittal]

I have used successful build condition too but I encountered one more error "Exception occurred initializing CPE Analyzer". In this case reports are generated but with zero vulnerabilities which changes my baseline vulnerability image. Just wondering if something could be done for such realtime scenario's.

Additionally, is it possible to generate report only for specific CVE's. I know we can do it for CVSS score or suppress a specific CPE/CVE but I want to generate report only for specific CVE/CPE. Didn't want to unnecessary open one more thread for this. Thanks!  

[Steve Springett]

The report generator creates reports in their entirety, in HTML or XML format. The Jenkins plugin requiring the XML report. There isn't a way currently to generate reports only for specific findings.

As far as the exception you're encountering with the CPE Analyzer in the Gradle plugin, I'd recommend creating a ticket so we can track the issue.

https://github.com/jeremylong/DependencyCheck/issues

[Hans Aikema]

Could it be that you're still on a version lower than 1.4.2? Similar symptoms ("Exception occurred initializing CPE Analyzer" without breaking the build) I have encountered in the Maven plugin upon which my investigation made me discover https://github.com/jeremylong/DependencyCheck/issues/215

From the comments in that issue and a mentioned related ant-plugin issue I would expect the gradle plugin to fail as well after the fixes for issue 215 (unless some cases were overlooked in that fix, in which case Steve's suggestion to open a ticket would be the right way forward)

regards,

Hans Aikema

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-------------------
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, equensWorldline or Worldline group’s liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de equensWorldline ou du groupe Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
-------------------

[Piyush Mittal]

I am on latest 1.4.5. will open an issue soon as suggested. Thanks for your clarification.