-
Bug
-
Resolution: Fixed
-
Major
-
Windows 2012 32bit, Oracle Java 1.7.0_25, Jenkins 1.6.24, OWASP Dependency Check Plugin 1.3.0
After upgrading the OWASP Dependency Check Plugin to Version 1.3.0, all of my suppressions provided in a supressions file are ignored. I checked twice, that it occurs only with the new version 1.3.0 by downgrading to version 1.2.11.1 (where the supressions work) and forth to 1.3.0 where they do not work.
Attached a screenshot from our configuration, the supression file itself and statistics after installing 1.3.0 and the DependencyCheckReport (showing that there are no suppressions).
![2015-08-19_Trunk_BuildInstaller [Jenkins]2.png](/secure/attachment/30500/2015-08-19_Trunk_BuildInstaller%20%5BJenkins%5D2.png)
![2015-08-19_Trunk_BuildInstaller Config [Jenkins].png](/secure/attachment/30501/2015-08-19_Trunk_BuildInstaller%20Config%20%5BJenkins%5D.png)
[JENKINS-30023] OWASP Dependency-Check Plugin does not respect supressions anymore
Ok, I can confirm, that it works now, when specifying the path using
${WORKSPACE}
For everyone with the same problem: I had to change the suppression file path from
TE/source/OWASP-Dependency-Check-Suppression.xml
to
${WORKSPACE}\TE\source\OWASP-Dependency-Check-Suppression.xml
sspringett: this single setting is the only one in my whole jenkins configuration where I ever had to use ${WORKSPACE}.
Markus Schlegel
added a comment - - edited Ok, I can confirm, that it works now, when specifying the path using
${WORKSPACE}
For everyone with the same problem: I had to change the suppression file path from
TE/source/OWASP-Dependency-Check-Suppression.xml
to
${WORKSPACE}\TE\source\OWASP-Dependency-Check-Suppression.xml
sspringett : this single setting is the only one in my whole jenkins configuration where I ever had to use ${WORKSPACE}. Code changed in jenkins
User: Steve Springett
Path:
src/main/java/org/jenkinsci/plugins/DependencyCheck/DependencyCheckBuilder.java
http://jenkins-ci.org/commit/dependency-check-plugin/8ad6e71c03c059b31d8635c204d8915bf9b2c095
Log:
Fixing suppresion file relative to workspace. Issue JENKINS-30023
schlegel_m You're correct. In previous releases the plugin use to resolve relative paths. I've put the functionality back in and will release 1.3.1.2 to resolve the issue.
Victor Noël
added a comment - Hi,
Could we still get variable resolution for URLs?
According to current code, if it's a valid url but contains a variable in it, it won't be resolved…
Thanks
Victor Noël
added a comment - Hi,
Could we still get variable resolution for URLs?
According to current code, if it's a valid url but contains a variable in it, it won't be resolved…
Thanks Code changed in jenkins
User: Steve Springett
Path:
src/main/java/org/jenkinsci/plugins/DependencyCheck/DependencyCheckBuilder.java
http://jenkins-ci.org/commit/dependency-check-plugin/78e16bde14230a1daf064b954d08d653fb1cdad5
Log:
Added variable substitution back to URLs. JENKINS-30023
Good catch victornoel. The substitution code has been added back in for URLs.
Doesn't work in OWASP Dependency-Check Plugin version 1.3.3
Works in 1.3.4!
ad_robotics That's correct. A change in the Dependency-Check core module (not Jenkins plugin) contributed to suppressions not working in 1.3.3. This has been corrected in 1.3.4. Refer to https://github.com/jeremylong/DependencyCheck/issues/445 for details.
I'll try that tomorrow. Just curious why it worked with 1.2.11.1 but not with 1.3.1.1 with the exact same settings...