Jenkins Plugin and Node Module Scans

[ton...@gmail.com]

Hi all

I know the jenkins plugin is an orphan right now, and it's using an older version of the dependency check core.

I also know that we've been having issues with node scans not honouring the --nodeAuditSkipDevDependencies flag, which has been fixed in 6.0.3.

I've disabled my retirejs and nodejs packages as below in a properties file

analyzer.node.package.enabled=false

analyzer.retirejs.enabled=false

I've now tried to use the plugin, with the flag, and getting this error

[DependencyCheck] Unrecognized option: --nodeAuditSkipDevDependencies [DependencyCheck] usage: Dependency-Check Core

My question is this

Is it possible to use the most up to date jenkins plugin and tell it to skip the dev dependencies, but only in the .properties file?

I'm pretty sure I'm going to have to stop using the plugin for node module scans until it gets updated, and install the updated CLI onto the jenkins node itself and do it like that, this is a hail mary!!

Thanks

Matt

[Steve Springett]

> it's using an older version of the dependency check core

Starting with v5.0 of the Jenkins plugin, it became a simple wrapper around the CLI. It uses Jenkins infra code to automatically install Dependency-Check CLI (via bitbucket) or you can supply an alternative install method.

But the Jenkins plugin simply executes the CLI. Whatever parameters you pass to the plugin will be passed to the CLI. Reliance on Dependency Check Core is no longer used or necessary.

— Steve

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dependency-check/23cd35fa-b859-484d-88ae-ee9eb22e570bn%40googlegroups.com.