Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-54838

OWASP Dependency-Check plugin loses trace of bcprov-jdk15on.jar vulnerabilities

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      We're using the Dependency-Check Jenkins plugin version 3.3.4 to analyze our software and are experimenting a buggy behavior. Every time we do a scan the plugin says that we got: 

      12 new vulnerabilities
      12 Fixed vulnerabilities

      And the problem is that all of them are the same vulnerabilities, scan after scan, related to the Bouncy Castle provider: bcprov-jdk15on.jar

        Attachments

          Activity

          pachulo Marc P created issue -
          pachulo Marc P made changes -
          Field Original Value New Value
          Description We're using the Jenkins plugin to analyze our software and are experimenting a buggy behavior. Every time we do a scan the plugin says that we got: 

          {{12 new vulnerabilities
          12 Fixed vulnerabilities}}

          And the problem is that all of them are the same vulnerabilities, scan after scan, related to the Bouncy Castle provider: *bcprov-jdk15on.jar*

          *!https://user-images.githubusercontent.com/3256953/48907536-0e604600-ee68-11e8-86a3-c95710e01986.png!*

          *!https://user-images.githubusercontent.com/3256953/48907421-a9a4eb80-ee67-11e8-9e90-3ea378a70852.png!*
          We're using the Jenkins plugin to analyze our software and are experimenting a buggy behavior. Every time we do a scan the plugin says that we got: 
          {code:java}
          12 new vulnerabilities
          12 Fixed vulnerabilities{code}
          And the problem is that all of them are the same vulnerabilities, scan after scan, related to the Bouncy Castle provider: *bcprov-jdk15on.jar*

          *!https://user-images.githubusercontent.com/3256953/48907536-0e604600-ee68-11e8-86a3-c95710e01986.png!*

          *!https://user-images.githubusercontent.com/3256953/48907421-a9a4eb80-ee67-11e8-9e90-3ea378a70852.png!*
          Hide
          sspringett Steve Springett added a comment - - edited

          What version of the Dependency-Check Jenkins plugin are you using?

           

          What version of analysis-core (Static Code Analysis Plugins) is installed?

           

          Do you have the warnings or warnings-ng plugin installed? If so, what version?

           

          Did you use the Dependency-Check Maven plugin, CLI, or the Jenkins plugin to produce dependency-check-result.xml?

          Show
          sspringett Steve Springett added a comment - - edited What version of the Dependency-Check Jenkins plugin are you using?   What version of analysis-core (Static Code Analysis Plugins) is installed?   Do you have the warnings or warnings-ng plugin installed? If so, what version?   Did you use the Dependency-Check Maven plugin, CLI, or the Jenkins plugin to produce dependency-check-result.xml?
          sspringett Steve Springett made changes -
          Assignee Steve Springett [ sspringett ]
          pachulo Marc P made changes -
          Description We're using the Jenkins plugin to analyze our software and are experimenting a buggy behavior. Every time we do a scan the plugin says that we got: 
          {code:java}
          12 new vulnerabilities
          12 Fixed vulnerabilities{code}
          And the problem is that all of them are the same vulnerabilities, scan after scan, related to the Bouncy Castle provider: *bcprov-jdk15on.jar*

          *!https://user-images.githubusercontent.com/3256953/48907536-0e604600-ee68-11e8-86a3-c95710e01986.png!*

          *!https://user-images.githubusercontent.com/3256953/48907421-a9a4eb80-ee67-11e8-9e90-3ea378a70852.png!*
          We're using the Dependency-Check Jenkins plugin *version 3.3.4* to analyze our software and are experimenting a buggy behavior. Every time we do a scan the plugin says that we got: 
          {code:java}
          12 new vulnerabilities
          12 Fixed vulnerabilities{code}
          And the problem is that all of them are the same vulnerabilities, scan after scan, related to the Bouncy Castle provider: *bcprov-jdk15on.jar*

          *!https://user-images.githubusercontent.com/3256953/48907536-0e604600-ee68-11e8-86a3-c95710e01986.png!*

          *!https://user-images.githubusercontent.com/3256953/48907421-a9a4eb80-ee67-11e8-9e90-3ea378a70852.png!*
          Hide
          pachulo Marc P added a comment -

          We are using version 3.3.4 of Dependency-Check Jenkins plugin.

          I don't know how to check the version of analysis-core.

          I think that we don't have the warnings/-ng plugins installed.

          We used the Jenkins plugin to produce dependency-check-result.xml

          Show
          pachulo Marc P added a comment - We are using version 3.3.4 of Dependency-Check Jenkins plugin. I don't know how to check the version of analysis-core. I think that we don't have the warnings/-ng plugins installed. We used the Jenkins plugin to produce dependency-check-result.xml
          Hide
          pachulo Marc P added a comment -

          By the way, we just upgraded to Dependency-Check Jenkins plugin version 4.0.0 and the issue remains the same.

          Show
          pachulo Marc P added a comment - By the way, we just upgraded to Dependency-Check Jenkins plugin version 4.0.0 and the issue remains the same.
          Hide
          sspringett Steve Springett added a comment -

          Ok thanks for the info. I'll take a look in the next few days and try to reproduce.

          Show
          sspringett Steve Springett added a comment - Ok thanks for the info. I'll take a look in the next few days and try to reproduce.
          Hide
          sspringett Steve Springett added a comment -

          No longer relevant with v5.0.0

          Show
          sspringett Steve Springett added a comment - No longer relevant with v5.0.0
          sspringett Steve Springett made changes -
          Resolution Won't Do [ 10001 ]
          Status Open [ 1 ] Closed [ 6 ]

            People

            Assignee:
            sspringett Steve Springett
            Reporter:
            pachulo Marc P
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: