OWASP dependency-check Question

[Jeremy Long]

Is anyone using an external database other then MySQL? We are in the process of implementing a change that would require a SQL dialect file be created. We are currently supporting the embedded H2 and MySQL databases. I can add dialect files for other databases - I just need to know what is being used.

Best Regards,

Jeremy Long 

[Nico Schlebusch]

Hi Jeremy,

PostgreSQL 9.x please

Kind regards,
Nico Schlebusch

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Ayush Sahu]

Hi Jeremy,

I need help to connect owasp dependency jenkins plugin with postgre SQL database.

I am getting this error :

[DependencyCheck] OWASP Dependency-Check Plugin v1.4.3
[DependencyCheck] Executing Dependency-Check with the following options:
[DependencyCheck]  -name = ayush_bumblebee_owasp
[DependencyCheck]  -scanPath = /home/jenkins/workspace/rmt/ayush_bumblebee_owasp
[DependencyCheck]  -outputDirectory = /home/jenkins/workspace/rmt/ayush_bumblebee_owasp
[DependencyCheck]  -dataDirectory = /home/jenkins/workspace/rmt/ayush_bumblebee_owasp/dependency-check-data
[DependencyCheck]  -connectionString = jdbc:postgresql://build1400.scm.corp.ev1.inmobi.com:5432/owasp_vuln
[DependencyCheck]  -dbDriverName = org.postgresql.Driver
[DependencyCheck]  -dbUser = jenkins
[DependencyCheck]  -dbPassword = OBSCURED
[DependencyCheck]  -dataMirroringType = none
[DependencyCheck]  -isQuickQueryTimestampEnabled = true
[DependencyCheck]  -useMavenArtifactsScanPath = false
[DependencyCheck]  -jarAnalyzerEnabled = true
[DependencyCheck]  -nodeJsAnalyzerEnabled = true
[DependencyCheck]  -composerLockAnalyzerEnabled = true
[DependencyCheck]  -pythonAnalyzerEnabled = true
[DependencyCheck]  -rubyGemAnalyzerEnabled = true
[DependencyCheck]  -cocoaPodsAnalyzerEnabled = true
[DependencyCheck]  -swiftPackageManagerAnalyzerEnabled = true
[DependencyCheck]  -archiveAnalyzerEnabled = true
[DependencyCheck]  -assemblyAnalyzerEnabled = true
[DependencyCheck]  -centralAnalyzerEnabled = true
[DependencyCheck]  -nuspecAnalyzerEnabled = true
[DependencyCheck]  -nexusAnalyzerEnabled = false
[DependencyCheck]  -autoconfAnalyzerEnabled = true
[DependencyCheck]  -cmakeAnalyzerEnabled = true
[DependencyCheck]  -opensslAnalyzerEnabled = true
[DependencyCheck]  -showEvidence = true
[DependencyCheck]  -format = XML
[DependencyCheck]  -autoUpdate = true
[DependencyCheck]  -updateOnly = false
[DependencyCheck] Unable to connect to the Dependency-Check database
[DependencyCheck] Unable to load database driver
Build step 'Invoke OWASP Dependency-Check analysis' marked build as failure
[DependencyCheck] Skipping publisher since build result is FAILURE

Thanks in advance.

Regards,

Ayush

[Steve Springett]

Ayush,

Dependency-Check, including the Jenkins plugin, does not come with database drivers. You’ll need to ensure these are in the Jenkins classpath so the DC Jenkins plugin can find them.

Depending on the environment, you may have to stuff the hpi with the driver manually, but do this only if you can’t get the first option working.

Also, the job configuration you’ve posted may cause consistency and timeout issues. Ideally, you’ll want a single job defined that performs an update only (using the update only builder). This job should block all other dependency check jobs. This is true for environments that use an external database as well as environments that utilize a shared data directory.

Keep in mind that if you use this feature with Jenkins, all Jenkins instances will need to run the same version of the plugin.

— Steve

_____________________________________________________________

The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. The firm is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. --