Checker never finds issues, because database not updated with vulnerabilities?

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: Critical
    • Component/s: dependency-check-jenkins-plugin
    • None
    • Environment:

      This problem started a week ago or so. It seems the local vulnerabilities database is not updated. When starting with an empty workspace, the Jenkins jobs configured to perform the dependency check create a dependency-check-data/ folder with a (empty?) dc.h2.db of always 64KB. The scan succeeds, but with no warnings. Apparently, the checker happily scans the code against an empty database and concludes there are no issues! Even when I know for certain there were issues a week ago that haven't been solved.

      I can't provide logging (see JENKINS-36443). The console log of the builds show nothing wrong (this is with 1.3.6, but 1.4.0 fails in the same way):

      [DependencyCheck] OWASP Dependency-Check Plugin v1.3.6
      [DependencyCheck] Executing Dependency-Check with the following options:
      [DependencyCheck] -name = cvwus-parent-sonar
      [DependencyCheck] -scanPath = /tmp/workspace/cvwus-parent-sonar
      [DependencyCheck] -outputDirectory = /tmp/workspace/cvwus-parent-sonar
      [DependencyCheck] -dataDirectory = /tmp/workspace/cvwus-parent-sonar/dependency-check-data
      [DependencyCheck] -verboseLogFile = /tmp/workspace/cvwus-parent-sonar/dependency-check.log
      [DependencyCheck] -dataMirroringType = none
      [DependencyCheck] -isQuickQueryTimestampEnabled = true
      [DependencyCheck] -useMavenArtifactsScanPath = false
      [DependencyCheck] -jarAnalyzerEnabled = true
      [DependencyCheck] -nodeJsAnalyzerEnabled = true
      [DependencyCheck] -composerLockAnalyzerEnabled = true
      [DependencyCheck] -pythonAnalyzerEnabled = true
      [DependencyCheck] -rubyGemAnalyzerEnabled = true
      [DependencyCheck] -archiveAnalyzerEnabled = true
      [DependencyCheck] -assemblyAnalyzerEnabled = true
      [DependencyCheck] -centralAnalyzerEnabled = true
      [DependencyCheck] -nuspecAnalyzerEnabled = true
      [DependencyCheck] -nexusAnalyzerEnabled = false
      [DependencyCheck] -autoconfAnalyzerEnabled = true
      [DependencyCheck] -cmakeAnalyzerEnabled = true
      [DependencyCheck] -opensslAnalyzerEnabled = true
      [DependencyCheck] -showEvidence = true
      [DependencyCheck] -format = ALL
      [DependencyCheck] -autoUpdate = true
      [DependencyCheck] -updateOnly = false
      [DependencyCheck] Scanning: /tmp/workspace/cvwus-parent-sonar
      [DependencyCheck] Analyzing Dependencies
      [DependencyCheck] Collecting Dependency-Check analysis files...
      [DependencyCheck] Finding all files that match the pattern **/dependency-check-report.xml
      [DependencyCheck] Parsing 1 file in /tmp/workspace/cvwus-parent-sonar
      [DependencyCheck] Successfully parsed file /tmp/workspace/cvwus-parent-sonar/dependency-check-report.xml with 0 unique warnings and 0 duplicates.
      [DependencyCheck] Computing warning deltas based on reference build #32

        1. jenkins.log
          52 kB
        2. jenkins2.log
          30 kB

            Assignee:
            Steve Springett
            Reporter:
            Frank Niessink
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: