Howto integrate OWASP dependency check plugin in Jenkins Pipeline ?
4,265 views
Skip to first unread message
Ramanathan Muthaiah
Jan 30, 2017, 10:04:38 PM1/30/17
to Jenkins Users
Hi ,
After reading thru' OWASP dependency check plugin wiki and JIRA issues, I could not find examples of simple usage of this plugin in Jenkins Pipeline with the exception of this code snippet (sourced from one of the PR conversations in this plugin's GH page):
I would like to collect data from OWASP dependency check by scanning mostly Python-ish codebase.
Has anyone tried this combination i.e Jenkins Pipeline + OWASP dependency check ?
NOTE:
There is not much documentation available here too, https://github.com/jenkinsci/dependency-check-plugin
Appreciate any pointers on this topic.
/Ram
After reading thru' OWASP dependency check plugin wiki and JIRA issues, I could not find examples of simple usage of this plugin in Jenkins Pipeline with the exception of this code snippet (sourced from one of the PR conversations in this plugin's GH page):
step([$class: 'DependencyCheckPublisher'])
I would like to collect data from OWASP dependency check by scanning mostly Python-ish codebase.
Has anyone tried this combination i.e Jenkins Pipeline + OWASP dependency check ?
NOTE:
There is not much documentation available here too, https://github.com/jenkinsci/dependency-check-plugin
Appreciate any pointers on this topic.
/Ram
childNo͡.de
May 8, 2017, 10:43:56 AM5/8/17
to Jenkins Users
hi,
I just gave it a try on
* jenkins 1.651.2
* Jenkins OWASP Dependency-Checker 1.4.5
* HTML Publisher Plugin 1.11
so, first of all: The example given is valid, and workin. The Jenkins OWASP Plugin lacks support of a pipeline DSL extension, so you are forced to work with this generic step notation.
see also https://github.com/jenkinsci/pipeline-plugin/blob/master/COMPATIBILITY.md
to see what you might set in the construction yard: you have to look at the code https://github.com/jenkinsci/dependency-check-plugin/blob/master/src/main/java/org/jenkinsci/plugins/DependencyCheck/DependencyCheckPublisher.java
since there is an empty constructor but a DataBoundSetter, the only perhaps working (optional) parameter is: pattern
*UPDATE* you should have a look at http://jenkins.somewhatlocal.example.com/pipeline-syntax/
seems to, the plugin works with this code generator and even more settings are available!! Example:
BTT
assuming you have had run the dependencyCheck in your project build step before (for me, using the gradle plugin:
while
results in an empy report on misconfiguration
telling me in console
so, at least working fine ;)
you might save the (default) HTML report by the HTML Publisher like:
to make
work, you need an XML output, for the gradle plugin you have to set
Hope this helps for now ;)
~Marcel
I just gave it a try on
* jenkins 1.651.2
* Jenkins OWASP Dependency-Checker 1.4.5
* HTML Publisher Plugin 1.11
so, first of all: The example given is valid, and workin. The Jenkins OWASP Plugin lacks support of a pipeline DSL extension, so you are forced to work with this generic step notation.
see also https://github.com/jenkinsci/pipeline-plugin/blob/master/COMPATIBILITY.md
to see what you might set in the construction yard: you have to look at the code https://github.com/jenkinsci/dependency-check-plugin/blob/master/src/main/java/org/jenkinsci/plugins/DependencyCheck/DependencyCheckPublisher.java
since there is an empty constructor but a DataBoundSetter, the only perhaps working (optional) parameter is: pattern
step([
$class: 'DependencyCheckPublisher'
pattern: 'fix/path/custom-report-name.xml'
])
*UPDATE* you should have a look at http://jenkins.somewhatlocal.example.com/pipeline-syntax/
seems to, the plugin works with this code generator and even more settings are available!! Example:
step([
$class: 'DependencyCheckPublisher',
canComputeNew: false,
defaultEncoding: '',
healthy: '100',
unHealthy: '0',
pattern: 'fix/path/custom-report-name.xml',
shouldDetectModules: true])
BTT
assuming you have had run the dependencyCheck in your project build step before (for me, using the gradle plugin:
while
step([$class: 'DependencyCheckPublisher'])
results in an empy report on misconfiguration
telling me in console
[DependencyCheck] Searching for all files in /var/lib/jenkins/workspace/myBuild that match the pattern **/dependency-check-report.xml
[DependencyCheck] No files found. Configuration error?
so, at least working fine ;)
you might save the (default) HTML report by the HTML Publisher like:
publishHTML(target: [
reportDir : 'build/reports',
reportFiles : 'dependency-check-report.html',
reportName : 'OWASP Dependency Check',
allowMissing: true, alwaysLinkToLastBuild: true, keepAll: true])to make
step([$class: 'DependencyCheckPublisher'])
dependencyCheck {
failOnError = false
format = org.owasp.dependencycheck.reporting.ReportGenerator.Format.ALL
}
Hope this helps for now ;)
~Marcel
Reply all
Reply to author
Forward
0 new messages