Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-37437

Pipeline integration for OWASP checker

    XMLWordPrintable

Details

    Description

      It would be nice to be able to use the dependency check plugin within the jenkins pipeline (formerly known as the workflow).

      Attachments

        Issue Links

          Activity

            jeraldsm Jerald Sabu added a comment -

            sspringett owasp Dependency check works fine after updating to version 1.2.1.
            Thanks a lot for pointing out the syntax!

            jeraldsm Jerald Sabu added a comment - sspringett owasp Dependency check works fine after updating to version 1.2.1. Thanks a lot for pointing out the syntax!

            Creating a Jenkins system logger for org.owasp should reveal some useful info. Also, if the job is running on a slave, there was a serialization issue which was corrected in 2.1.1 pushed out today.

            Also, the long-form syntax can still be used in 2.1.1 and higher, but you can also call it by its groovy function name. I usually use this for testing locally:

            node("master") {
              stage("Dependency Check") {
                dependencyCheckAnalyzer datadir: 'dependency-check-data', isFailOnErrorDisabled: true, hintsFile: '', includeCsvReports: false, includeHtmlReports: false, includeJsonReports: false, isAutoupdateDisabled: false, outdir: '', scanpath: '', skipOnScmChange: false, skipOnUpstreamChange: false, suppressionFile: '', zipExtensions: ''
            
                dependencyCheckPublisher canComputeNew: false, defaultEncoding: '', healthy: '', pattern: '', unHealthy: ''
            
                archiveArtifacts allowEmptyArchive: true, artifacts: '**/dependency-check-report.xml', onlyIfSuccessful: true
              }
            }

             

             

            sspringett Steve Springett added a comment - Creating a Jenkins system logger for org.owasp should reveal some useful info. Also, if the job is running on a slave, there was a serialization issue which was corrected in 2.1.1 pushed out today. Also, the long-form syntax can still be used in 2.1.1 and higher, but you can also call it by its groovy function name. I usually use this for testing locally: node( "master" ) { stage( "Dependency Check" ) { dependencyCheckAnalyzer datadir: 'dependency-check-data' , isFailOnErrorDisabled: true , hintsFile: '', includeCsvReports: false , includeHtmlReports: false , includeJsonReports: false , isAutoupdateDisabled: false , outdir: ' ', scanpath: ' ', skipOnScmChange: false , skipOnUpstreamChange: false , suppressionFile: ' ', zipExtensions: ' ' dependencyCheckPublisher canComputeNew: false , defaultEncoding: '', healthy: ' ', pattern: ' ', unHealthy: ' ' archiveArtifacts allowEmptyArchive: true , artifacts: '**/dependency-check-report.xml' , onlyIfSuccessful: true } }    
            jeraldsm Jerald Sabu added a comment - - edited

            Hi sspringett,

            Could you please provide an example for the pipeline syntax of owasp dependency check.?  Is there an option to enable debug mode ?

            I'm running owasp dependency check in 'parallel' of a build stage pipeline, with the following pipeline syntax (default one) :

            "OWASP Dependency Check": {
            step([$class: 'DependencyCheckBuilder', datadir: '', hintsFile: '', includeCsvReports: false, includeHtmlReports: false, includeJsonReports: false, isAutoupdateDisabled: false, outdir: '', scanpath: '${env.SOURCES_DIR}', skipOnScmChange: false, skipOnUpstreamChange: false, suppressionFile: '', zipExtensions: ''])
            
            },

            But I can only see that the OWASP check failed with the following output which does not help to debug at all.:

             [Pipeline] [OWASP Depen­dency Check] \{ (Branch: OWASP Depen­dency Check)
             [Pipeline] [OWASP Depen­dency Check] echo
             15:14:37 [OWASP Depen­dency Check] OWASP Dependency Check
             [Pipeline] [OWASP Depen­dency Check] step
             15:14:37 [OWASP Depen­dency Check] [DependencyCheck] OWASP Dependency-Check Plugin v2.1.0
             [Pipeline] [OWASP Depen­dency Check] }
             15:14:37 [OWASP Depen­dency Check] Failed in branch OWASP Depen­dency Check
            

            Regards,
            Jerald

            jeraldsm Jerald Sabu added a comment - - edited Hi sspringett , Could you please provide an example for the pipeline syntax of owasp dependency check.?  Is there an option to enable debug mode ? I'm running owasp dependency check in 'parallel' of a build stage pipeline, with the following pipeline syntax (default one) : "OWASP Dependency Check" : { step([$class: 'DependencyCheckBuilder' , datadir: '', hintsFile: ' ', includeCsvReports: false , includeHtmlReports: false , includeJsonReports: false , isAutoupdateDisabled: false , outdir: ' ', scanpath: ' ${env.SOURCES_DIR} ', skipOnScmChange: false , skipOnUpstreamChange: false , suppressionFile: ' ', zipExtensions: ' ']) }, But I can only see that the OWASP check failed with the following output which does not help to debug at all.: [Pipeline] [OWASP Depen­dency Check] \{ (Branch: OWASP Depen­dency Check) [Pipeline] [OWASP Depen­dency Check] echo 15:14:37 [OWASP Depen­dency Check] OWASP Dependency Check [Pipeline] [OWASP Depen­dency Check] step 15:14:37 [OWASP Depen­dency Check] [DependencyCheck] OWASP Dependency-Check Plugin v2.1.0 [Pipeline] [OWASP Depen­dency Check] } 15:14:37 [OWASP Depen­dency Check] Failed in branch OWASP Depen­dency Check Regards, Jerald

            jhovell use the Pipeline Syntax to create the code. Like all build plugins, look in generic build step. The next version of the plugin has native groovy functions defined, so you can use either one.

            sspringett Steve Springett added a comment - jhovell use the Pipeline Syntax to create the code. Like all build plugins, look in generic build step. The next version of the plugin has native groovy functions defined, so you can use either one.
            jhovell John Hovell added a comment -

            Is there documentation for this? I don't see any directive/command in the pipeline-syntax/ page after installing this plugin. 

            jhovell John Hovell added a comment - Is there documentation for this? I don't see any directive/command in the pipeline-syntax/ page after installing this plugin. 

            People

              sspringett Steve Springett
              johan_piet Johan Piet
              Votes:
              8 Vote for this issue
              Watchers:
              17 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: