Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-58660

Errors running OWASP Dependency-Check plugin cause non-obvious failures of the build

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      If any errors occur in the Dependency-Check plugin (i.e. the CLI tool exits with a non-zero return code) then the Jenkins build result is set to failure, as per this code https://github.com/jenkinsci/dependency-check-plugin/blob/master/src/main/java/org/jenkinsci/plugins/DependencyCheck/DependencyCheckToolBuilder.java#L157

      final boolean success = (exitCode == 0);
      build.setResult(success ? Result.SUCCESS : Result.FAILURE); 

      I have two concerns with this.

      1. When this happens, it is far from obvious that the reason for the build failure is the Dependency-Check plugin.  The build may well continue and do many more stages, so parsing build output to determine the root cause is much more onerous than it needs to be.
      2. I believe it ought to be possible to configure (through plugin invocation parameters) the effect on the build of any errors running the plugin.  For example, it may be more appropriate to make the build UNSTABLE, or even not to affect the result at all (depending on the exact use case and convention).  Given that Jenkins doesn't allow you to "improve" the build status after it's already been set to a given level (in this case FAILURE) then no workaround is possible (except to reinvent the wheel by downloading and running the CLI in a customised manner).

        Attachments

          Activity

          Hide
          randomvoids Kyle L added a comment -

          This also causes an issue when using this plugin with pipelines that the build will fail but the stage will not and it will not show anywhere in the build logs as to why.

          Show
          randomvoids Kyle L added a comment - This also causes an issue when using this plugin with pipelines that the build will fail but the stage will not and it will not show anywhere in the build logs as to why.
          Hide
          bytemaster Boris Folgmann added a comment -

          I suffer from the same problem using Jenkins 2.289.2 LTS with OWASP Dependency-Check Plugin (dependency-check-jenkins-plugin) 5.1.1.

          The plugin should not set the build result in any case. The pipeline developer should have the choice to decide on his own e.g. depending on the number and severity of found issues. In my cases most of the time the plugin marks the build as failed just because an internal scanner could not run, e.g.:
           

          [DependencyCheck] [WARN] The Yarn Audit Analyzer has been disabled. Yarn executable was not found.
          [DependencyCheck] [ERROR] Exception occurred initializing Yarn Audit Analyzer.
          [DependencyCheck] [ERROR] Unable to read yarn audit output.  

          Fun fact: yarn is not even used in this project. I guess it could be fixed by adding  --disableYarnAudit, but this is not the point. It happens again and again due to varying reasons.
           

          Show
          bytemaster Boris Folgmann added a comment - I suffer from the same problem using Jenkins 2.289.2 LTS with OWASP Dependency-Check Plugin (dependency-check-jenkins-plugin) 5.1.1. The plugin should not set the build result in any case. The pipeline developer should have the choice to decide on his own e.g. depending on the number and severity of found issues. In my cases most of the time the plugin marks the build as failed just because an internal scanner could not run, e.g.:   [DependencyCheck] [WARN] The Yarn Audit Analyzer has been disabled. Yarn executable was not found. [DependencyCheck] [ERROR] Exception occurred initializing Yarn Audit Analyzer. [DependencyCheck] [ERROR] Unable to read yarn audit output.   Fun fact: yarn is not even used in this project. I guess it could be fixed by adding  --disableYarnAudit, but this is not the point. It happens again and again due to varying reasons.  

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            oliverlockwood Oliver Lockwood
            Votes:
            5 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated: