Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-37437

Pipeline integration for OWASP checker

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      It would be nice to be able to use the dependency check plugin within the jenkins pipeline (formerly known as the workflow).

        Attachments

          Issue Links

            Activity

            Hide
            sspringett Steve Springett added a comment -

            Support for workflow was added by CloudBees.

            https://github.com/jenkinsci/dependency-check-plugin/pull/3

            If for some reason it doesn't work, perhaps getting the original committers involved may help.

            Show
            sspringett Steve Springett added a comment - Support for workflow was added by CloudBees. https://github.com/jenkinsci/dependency-check-plugin/pull/3 If for some reason it doesn't work, perhaps getting the original committers involved may help.
            Hide
            sspringett Steve Springett added a comment -

            Upon investigation, it appears that only the publisher part of the Dependency-Check Jenkins plugin was ever tested with pipeline. Need to further investigate to see if the two builders also work.

            Show
            sspringett Steve Springett added a comment - Upon investigation, it appears that only the publisher part of the Dependency-Check Jenkins plugin was ever tested with pipeline. Need to further investigate to see if the two builders also work.
            Hide
            itaisanders Itai Sanders added a comment -

            Hi,
            any news with the pipeline support?
            I want to incorporate this tool into our pipelines and figured I might be able to run this as a command line tool and then publish the results using the already supported publisher. but if there's a chance to have a native builder to manage the test-run it would be preferable.
            Thanks.

            Show
            itaisanders Itai Sanders added a comment - Hi, any news with the pipeline support? I want to incorporate this tool into our pipelines and figured I might be able to run this as a command line tool and then publish the results using the already supported publisher. but if there's a chance to have a native builder to manage the test-run it would be preferable. Thanks.
            Hide
            mramanathan Ramanathan M added a comment -

            Hello,

            We have similar requirement in our org to integrate OWASP dependency check in Jenkins pipeline as part of workflow. From the various forums, I realized that only "Dependency publisher" step is documented. Am looking for improved support for this plugin in pipeline i.e. ability to trigger the dependency check's NVD data collection and using it for analysis by way of integrating in pipeline in the form of steps.

            Show
            mramanathan Ramanathan M added a comment - Hello, We have similar requirement in our org to integrate OWASP dependency check in Jenkins pipeline as part of workflow. From the various forums, I realized that only "Dependency publisher" step is documented. Am looking for improved support for this plugin in pipeline i.e. ability to trigger the dependency check's NVD data collection and using it for analysis by way of integrating in pipeline in the form of steps.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: stevespringett
            Path:
            src/main/java/org/jenkinsci/plugins/DependencyCheck/AbstractDependencyCheckBuilder.java
            src/main/java/org/jenkinsci/plugins/DependencyCheck/DependencyCheckBuilder.java
            src/main/java/org/jenkinsci/plugins/DependencyCheck/DependencyCheckExecutor.java
            src/main/java/org/jenkinsci/plugins/DependencyCheck/DependencyCheckUpdateOnlyBuilder.java
            src/main/resources/org/jenkinsci/plugins/DependencyCheck/Messages.properties
            http://jenkins-ci.org/commit/dependency-check-plugin/8f780e9071b05291102cbe0c22bd17ce6a2caedd
            Log:
            Adding support for Pipeline via SimpleBuildStep. Fixed several issues with getters and general cleanup. JENKINS-37437

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: stevespringett Path: src/main/java/org/jenkinsci/plugins/DependencyCheck/AbstractDependencyCheckBuilder.java src/main/java/org/jenkinsci/plugins/DependencyCheck/DependencyCheckBuilder.java src/main/java/org/jenkinsci/plugins/DependencyCheck/DependencyCheckExecutor.java src/main/java/org/jenkinsci/plugins/DependencyCheck/DependencyCheckUpdateOnlyBuilder.java src/main/resources/org/jenkinsci/plugins/DependencyCheck/Messages.properties http://jenkins-ci.org/commit/dependency-check-plugin/8f780e9071b05291102cbe0c22bd17ce6a2caedd Log: Adding support for Pipeline via SimpleBuildStep. Fixed several issues with getters and general cleanup. JENKINS-37437
            Hide
            mramanathan Ramanathan M added a comment -

            Good to see some traction on this tkt.

            1. In which release (weekly or LTS) these changes can be expected to be in ?

            2. Also, would the changes go thru' any testing before being released ?

            Show
            mramanathan Ramanathan M added a comment - Good to see some traction on this tkt. 1. In which release (weekly or LTS) these changes can be expected to be in ? 2. Also, would the changes go thru' any testing before being released ?
            Hide
            sspringett Steve Springett added a comment -

            This support is currently in Dependency-Check 1.4.6-SNAPSHOT and has the same release schedule as the rest of the Dependency-Check components. So it will be available in the next DC release.

            This feature resulted in a lot of changes and as a result, I have tested this in my own environment consisting of a Jenkins master and slave running in various configurations. I have concluded that these changes have not resulted in regressions for current installations and do in-fact work with pipeline jobs. With that said, I do encourage anyone interested in this feature to give it a spin before the official 1.4.6 release - which I don't know when that is as of now.

            Show
            sspringett Steve Springett added a comment - This support is currently in Dependency-Check 1.4.6-SNAPSHOT and has the same release schedule as the rest of the Dependency-Check components. So it will be available in the next DC release. This feature resulted in a lot of changes and as a result, I have tested this in my own environment consisting of a Jenkins master and slave running in various configurations. I have concluded that these changes have not resulted in regressions for current installations and do in-fact work with pipeline jobs. With that said, I do encourage anyone interested in this feature to give it a spin before the official 1.4.6 release - which I don't know when that is as of now.
            Hide
            sspringett Steve Springett added a comment -

            Feature implemented. Marking as resolved but will leave open until 1.4.6 is released.

            Show
            sspringett Steve Springett added a comment - Feature implemented. Marking as resolved but will leave open until 1.4.6 is released.
            Hide
            sspringett Steve Springett added a comment - - edited

            1.4.6 has turned into 2.0.0 due to the number of enhancements and other major changes. 2.0.0 will likely be released in the next week or two.

            Show
            sspringett Steve Springett added a comment - - edited 1.4.6 has turned into 2.0.0 due to the number of enhancements and other major changes. 2.0.0 will likely be released in the next week or two.
            Hide
            znerd Ernst de Haan added a comment -

            After installing a pre-release version of this plugin, I do not see a new step show up in the Pipeline Syntax view. Should it show up there?

            And are there some examples we can refer to? E.g.

            step([$class: 'DependencyCheckBuilder', foo: bar)

            or (even better) something like:

            owaspdepcheck foo bar

             

            Show
            znerd Ernst de Haan added a comment - After installing a pre-release version of this plugin, I do not see a new step show up in the Pipeline Syntax  view. Should it show up there? And are there some examples we can refer to? E.g. step([$class: 'DependencyCheckBuilder', foo: bar) or (even better) something like: owaspdepcheck foo bar  
            Hide
            sspringett Steve Springett added a comment -

            I introduced an issue last night that messed up pipeline. It's corrected now and syntax view works correctly now.

            Show
            sspringett Steve Springett added a comment - I introduced an issue last night that messed up pipeline. It's corrected now and syntax view works correctly now.
            Hide
            sspringett Steve Springett added a comment -

            Closing. Pipeline support included and released in v2.0.0

            Show
            sspringett Steve Springett added a comment - Closing. Pipeline support included and released in v2.0.0
            Hide
            jhovell John Hovell added a comment -

            Is there documentation for this? I don't see any directive/command in the pipeline-syntax/ page after installing this plugin. 

            Show
            jhovell John Hovell added a comment - Is there documentation for this? I don't see any directive/command in the pipeline-syntax/ page after installing this plugin. 
            Hide
            sspringett Steve Springett added a comment -

            John Hovell use the Pipeline Syntax to create the code. Like all build plugins, look in generic build step. The next version of the plugin has native groovy functions defined, so you can use either one.

            Show
            sspringett Steve Springett added a comment - John Hovell use the Pipeline Syntax to create the code. Like all build plugins, look in generic build step. The next version of the plugin has native groovy functions defined, so you can use either one.
            Hide
            jeraldsm Jerald Sabu added a comment - - edited

            Hi Steve Springett,

            Could you please provide an example for the pipeline syntax of owasp dependency check.?  Is there an option to enable debug mode ?

            I'm running owasp dependency check in 'parallel' of a build stage pipeline, with the following pipeline syntax (default one) :

            "OWASP Dependency Check": {
            step([$class: 'DependencyCheckBuilder', datadir: '', hintsFile: '', includeCsvReports: false, includeHtmlReports: false, includeJsonReports: false, isAutoupdateDisabled: false, outdir: '', scanpath: '${env.SOURCES_DIR}', skipOnScmChange: false, skipOnUpstreamChange: false, suppressionFile: '', zipExtensions: ''])
            
            },

            But I can only see that the OWASP check failed with the following output which does not help to debug at all.:

             [Pipeline] [OWASP Depen­dency Check] \{ (Branch: OWASP Depen­dency Check)
             [Pipeline] [OWASP Depen­dency Check] echo
             15:14:37 [OWASP Depen­dency Check] OWASP Dependency Check
             [Pipeline] [OWASP Depen­dency Check] step
             15:14:37 [OWASP Depen­dency Check] [DependencyCheck] OWASP Dependency-Check Plugin v2.1.0
             [Pipeline] [OWASP Depen­dency Check] }
             15:14:37 [OWASP Depen­dency Check] Failed in branch OWASP Depen­dency Check
            

            Regards,
            Jerald

            Show
            jeraldsm Jerald Sabu added a comment - - edited Hi Steve Springett , Could you please provide an example for the pipeline syntax of owasp dependency check.?  Is there an option to enable debug mode ? I'm running owasp dependency check in 'parallel' of a build stage pipeline, with the following pipeline syntax (default one) : "OWASP Dependency Check" : { step([$class: 'DependencyCheckBuilder' , datadir: '', hintsFile: ' ', includeCsvReports: false , includeHtmlReports: false , includeJsonReports: false , isAutoupdateDisabled: false , outdir: ' ', scanpath: ' ${env.SOURCES_DIR} ', skipOnScmChange: false , skipOnUpstreamChange: false , suppressionFile: ' ', zipExtensions: ' ']) }, But I can only see that the OWASP check failed with the following output which does not help to debug at all.: [Pipeline] [OWASP Depen­dency Check] \{ (Branch: OWASP Depen­dency Check) [Pipeline] [OWASP Depen­dency Check] echo 15:14:37 [OWASP Depen­dency Check] OWASP Dependency Check [Pipeline] [OWASP Depen­dency Check] step 15:14:37 [OWASP Depen­dency Check] [DependencyCheck] OWASP Dependency-Check Plugin v2.1.0 [Pipeline] [OWASP Depen­dency Check] } 15:14:37 [OWASP Depen­dency Check] Failed in branch OWASP Depen­dency Check Regards, Jerald
            Hide
            sspringett Steve Springett added a comment -

            Creating a Jenkins system logger for org.owasp should reveal some useful info. Also, if the job is running on a slave, there was a serialization issue which was corrected in 2.1.1 pushed out today.

            Also, the long-form syntax can still be used in 2.1.1 and higher, but you can also call it by its groovy function name. I usually use this for testing locally:

            node("master") {
              stage("Dependency Check") {
                dependencyCheckAnalyzer datadir: 'dependency-check-data', isFailOnErrorDisabled: true, hintsFile: '', includeCsvReports: false, includeHtmlReports: false, includeJsonReports: false, isAutoupdateDisabled: false, outdir: '', scanpath: '', skipOnScmChange: false, skipOnUpstreamChange: false, suppressionFile: '', zipExtensions: ''
            
                dependencyCheckPublisher canComputeNew: false, defaultEncoding: '', healthy: '', pattern: '', unHealthy: ''
            
                archiveArtifacts allowEmptyArchive: true, artifacts: '**/dependency-check-report.xml', onlyIfSuccessful: true
              }
            }

             

             

            Show
            sspringett Steve Springett added a comment - Creating a Jenkins system logger for org.owasp should reveal some useful info. Also, if the job is running on a slave, there was a serialization issue which was corrected in 2.1.1 pushed out today. Also, the long-form syntax can still be used in 2.1.1 and higher, but you can also call it by its groovy function name. I usually use this for testing locally: node( "master" ) { stage( "Dependency Check" ) { dependencyCheckAnalyzer datadir: 'dependency-check-data' , isFailOnErrorDisabled: true , hintsFile: '', includeCsvReports: false , includeHtmlReports: false , includeJsonReports: false , isAutoupdateDisabled: false , outdir: ' ', scanpath: ' ', skipOnScmChange: false , skipOnUpstreamChange: false , suppressionFile: ' ', zipExtensions: ' ' dependencyCheckPublisher canComputeNew: false , defaultEncoding: '', healthy: ' ', pattern: ' ', unHealthy: ' ' archiveArtifacts allowEmptyArchive: true , artifacts: '**/dependency-check-report.xml' , onlyIfSuccessful: true } }    
            Hide
            jeraldsm Jerald Sabu added a comment -

            Steve Springett owasp Dependency check works fine after updating to version 1.2.1.
            Thanks a lot for pointing out the syntax!

            Show
            jeraldsm Jerald Sabu added a comment - Steve Springett owasp Dependency check works fine after updating to version 1.2.1. Thanks a lot for pointing out the syntax!

              People

              Assignee:
              sspringett Steve Springett
              Reporter:
              johan_piet Johan Piet
              Votes:
              8 Vote for this issue
              Watchers:
              17 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: