Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59869

OWASP Dependency-Check Plugin v5.2.2 declarative pipeline java not recognized

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      When upgrading the Dependency Check Plugin from version 4 to 5.2.2, we found the following problem.

      We are using declarative pipeline scripts to run the Dependency Check Plugin. Formerly with version 4 we could use this setup for running the dependency check.

       

      pipeline {
          agent {
              label 'master'
          }
          environment {
              JAVA_HOME = tool 'jdk-11.0.1'
              mvnHome = tool 'apache-maven-3.6.0'
              PATH = "${JAVA_HOME}\\bin;${mvnHome}\\bin;${env.PATH}"
          }
          stages {
              stage('Build sources') {
                  steps {
                      bat 'mvn clean verify -DskipTests'
                  }
              }
              stage('Analyze dependencies') {
                  dependencyCheckAnalyzer(outdir: 'Dependency-Check',
                              suppressionFile: 'owasp-suppressions.xml',
                              scanpath: '',
                              datadir: '',
                              hintsFile: '',
                              zipExtensions: '',
                              isAutoupdateDisabled: true,
                              skipOnScmChange: false,
                              skipOnUpstreamChange: false,
                              includeHtmlReports: true,
                              includeVulnReports: true,
                              includeJsonReports: false,
                              includeCsvReports: false)
                  }
              }
          }
      }

      This would run fine and reports were generated. So now with version 5.2.2 we have adjusted our pipeline script to be complaint with the new plugin.

       

      pipeline {
          agent {
              label 'master'
          }
          environment {
              JAVA_HOME = tool 'jdk-11.0.1'
              mvnHome = tool 'apache-maven-3.6.0'
              PATH = "${JAVA_HOME}\\bin;${mvnHome}\\bin;${env.PATH}"
          }
          stages {
              stage('Build sources') {
                  steps {
                      bat 'mvn clean verify -DskipTests'
                  }
              }
              stage('Analyze dependencies') {
                  steps {
                      dependencyCheck(additionalArguments: '''
                          -d D:/OWASP/dependency-check-data
                          --noupdate
                          --suppression backend/owasp-suppressions.xml
                          -o Dependency-Check''',
                          odcInstallation: 'dependency-check-5.2.2')
                  }
              }
          }
      }
      

      When we run the pipeline with the script mentioned above, we get the following error.
      [DependencyCheck] 'java' is not recognized as an internal or external command,
      [DependencyCheck] operable program or batch file.
      Which makes us suspect that the environment variable aren't passed properly.

       

        Attachments

          Activity

          Hide
          sspringett Steve Springett added a comment -

          The Jenkins plugin simply calls dependency-check.bat (or .sh). Nothing more. The error contains everything you need to fix it. It's likely a path issue in that java is not in the path. Take a look at bin/dependency-check.bat and see what the script is trying to do.

          Show
          sspringett Steve Springett added a comment - The Jenkins plugin simply calls dependency-check.bat (or .sh). Nothing more. The error contains everything you need to fix it. It's likely a path issue in that java is not in the path. Take a look at bin/dependency-check.bat and see what the script is trying to do.
          Hide
          terryvdgriend Terry van der Griend added a comment -

          Hi Steve,

          I have added some echo statements in the Jenkinsfile, the mvn.bat and the dependency-check.bat to show the variables on the path.

          This is the outcome of the Jenkinsfile echo statement.

          D:\Tools\Java\jdk-11.0.1/bin;D:\tools\apache-maven-3.6.0/bin;D:\Tools\Java\jdk-11.0.1/bin;D:\tools\apache-maven-3.6.0/bin;C:\windows\system32;C:\windows;C:\windows\System32\Wbem;C:\windows\System32\WindowsPowerShell\v1.0\;D:\Tools\apache-maven-3.2.5\bin;D:\Tools\gradle-2.7\bin;D:\tools\Git\cmd;C:\Windows\Microsoft.NET\Framework64\v4.0.30319;D:\Tools\nuget;C:\Program Files\Microsoft SQL Server\110\Tools\Binn\;D:\Tools\curl-7.54.0\bin;D:\Tools\NUnit\bin;d:\Tools\docker;D:\Tools\FirefoxPortable;C:\Program Files\Taurus\bin;C:\Program Files\dotnet\
          

          This is the outcome of the mvn.bat echo statement.

          D:\Tools\Java\jdk-11.0.1/bin;D:\tools\apache-maven-3.6.0/bin;D:\Tools\Java\jdk-11.0.1/bin;D:\tools\apache-maven-3.6.0/bin;C:\windows\system32;C:\windows;C:\windows\System32\Wbem;C:\windows\System32\WindowsPowerShell\v1.0\;D:\Tools\apache-maven-3.2.5\bin;D:\Tools\gradle-2.7\bin;D:\tools\Git\cmd;C:\Windows\Microsoft.NET\Framework64\v4.0.30319;D:\Tools\nuget;C:\Program Files\Microsoft SQL Server\110\Tools\Binn\;D:\Tools\curl-7.54.0\bin;D:\Tools\NUnit\bin;d:\Tools\docker;D:\Tools\FirefoxPortable;C:\Program Files\Taurus\bin;C:\Program Files\dotnet\
          

          This is the outcome of the dependency-check.bat echo statement.

          C:\windows\system32;C:\windows;C:\windows\System32\Wbem;C:\windows\System32\WindowsPowerShell\v1.0\;D:\Tools\apache-maven-3.2.5\bin;D:\Tools\gradle-2.7\bin;D:\tools\Git\cmd;C:\Windows\Microsoft.NET\Framework64\v4.0.30319;D:\Tools\nuget;C:\Program Files\Microsoft SQL Server\110\Tools\Binn\;D:\Tools\curl-7.54.0\bin;D:\Tools\NUnit\bin;d:\Tools\docker;D:\Tools\FirefoxPortable;C:\Program Files\Taurus\bin;C:\Program Files\dotnet\
          

          It seems that the dependency check plugin doesn't not provide the environment variables, which are added in the Jenkinsfile, to the dependency-check.bat

          Show
          terryvdgriend Terry van der Griend added a comment - Hi Steve, I have added some echo statements in the Jenkinsfile, the mvn.bat and the dependency-check.bat to show the variables on the path. This is the outcome of the Jenkinsfile echo statement. D:\Tools\Java\jdk-11.0.1/bin;D:\tools\apache-maven-3.6.0/bin;D:\Tools\Java\jdk-11.0.1/bin;D:\tools\apache-maven-3.6.0/bin;C:\windows\system32;C:\windows;C:\windows\System32\Wbem;C:\windows\System32\WindowsPowerShell\v1.0\;D:\Tools\apache-maven-3.2.5\bin;D:\Tools\gradle-2.7\bin;D:\tools\Git\cmd;C:\Windows\Microsoft.NET\Framework64\v4.0.30319;D:\Tools\nuget;C:\Program Files\Microsoft SQL Server\110\Tools\Binn\;D:\Tools\curl-7.54.0\bin;D:\Tools\NUnit\bin;d:\Tools\docker;D:\Tools\FirefoxPortable;C:\Program Files\Taurus\bin;C:\Program Files\dotnet\ This is the outcome of the mvn.bat echo statement. D:\Tools\Java\jdk-11.0.1/bin;D:\tools\apache-maven-3.6.0/bin;D:\Tools\Java\jdk-11.0.1/bin;D:\tools\apache-maven-3.6.0/bin;C:\windows\system32;C:\windows;C:\windows\System32\Wbem;C:\windows\System32\WindowsPowerShell\v1.0\;D:\Tools\apache-maven-3.2.5\bin;D:\Tools\gradle-2.7\bin;D:\tools\Git\cmd;C:\Windows\Microsoft.NET\Framework64\v4.0.30319;D:\Tools\nuget;C:\Program Files\Microsoft SQL Server\110\Tools\Binn\;D:\Tools\curl-7.54.0\bin;D:\Tools\NUnit\bin;d:\Tools\docker;D:\Tools\FirefoxPortable;C:\Program Files\Taurus\bin;C:\Program Files\dotnet\ This is the outcome of the dependency-check.bat echo statement. C:\windows\system32;C:\windows;C:\windows\System32\Wbem;C:\windows\System32\WindowsPowerShell\v1.0\;D:\Tools\apache-maven-3.2.5\bin;D:\Tools\gradle-2.7\bin;D:\tools\Git\cmd;C:\Windows\Microsoft.NET\Framework64\v4.0.30319;D:\Tools\nuget;C:\Program Files\Microsoft SQL Server\110\Tools\Binn\;D:\Tools\curl-7.54.0\bin;D:\Tools\NUnit\bin;d:\Tools\docker;D:\Tools\FirefoxPortable;C:\Program Files\Taurus\bin;C:\Program Files\dotnet\ It seems that the dependency check plugin doesn't not provide the environment variables, which are added in the Jenkinsfile, to the dependency-check.bat
          Hide
          sspringett Steve Springett added a comment -

          Not sure. The environment is being passed to the launcher which executes the CLI.

           

          https://github.com/jenkinsci/dependency-check-plugin/blob/master/src/main/java/org/jenkinsci/plugins/DependencyCheck/DependencyCheckToolBuilder.java#L151

           

          Jenkins bug perhaps? Not sure.

          Show
          sspringett Steve Springett added a comment - Not sure. The environment is being passed to the launcher which executes the CLI.   https://github.com/jenkinsci/dependency-check-plugin/blob/master/src/main/java/org/jenkinsci/plugins/DependencyCheck/DependencyCheckToolBuilder.java#L151   Jenkins bug perhaps? Not sure.
          Hide
          ilittel Iwan Littel added a comment -

          Same problem here. We use multiple Jenkins slaves for our projects, where each one may have a different JAVA_HOME definition. So far we didn't have any issues with other plugins (e.g. jacoco) in our pipeline builds.

          For the time being, we created a separate non-pipeline build job dedicated to running Dependency-Check. This isn't ideal however since we need to remember to check it regularly.

           

           

          Show
          ilittel Iwan Littel added a comment - Same problem here. We use multiple Jenkins slaves for our projects, where each one may have a different JAVA_HOME definition. So far we didn't have any issues with other plugins (e.g. jacoco) in our pipeline builds. For the time being, we created a separate non-pipeline build job dedicated to running Dependency-Check. This isn't ideal however since we need to remember to check it regularly.    
          Hide
          tom_gl Thomas de Grenier de Latour added a comment -

          Not sure. The environment is being passed to the launcher which executes the CLI.

          Unfortunately, the environment which is passed is not the right one (in a Pipeline, it won't include contributions from build wrappers, or the environment directive of a Declarative Pipeline, etc.). See JENKINS-29144, one has to implement Step rather than SimpleBuildStep to get access to the contextual environment in a Pipeline.

          Show
          tom_gl Thomas de Grenier de Latour added a comment - Not sure. The environment is being passed to the launcher which executes the CLI. Unfortunately, the environment which is passed is not the right one (in a Pipeline, it won't include contributions from build wrappers, or the environment directive of a Declarative Pipeline, etc.). See JENKINS-29144 , one has to implement Step rather than SimpleBuildStep to get access to the contextual environment in a Pipeline.
          Hide
          tom_gl Thomas de Grenier de Latour added a comment -

          Better late than never:

          Show
          tom_gl Thomas de Grenier de Latour added a comment - Better late than never: JENKINS-29144 has been fixed some time ago (Jenkins 2.241) I've just submitted a PR to use the "new" SimpleBuildStep#perform(...) API, which solves this issue for dependencyCheck build steps: https://github.com/jenkinsci/dependency-check-plugin/pull/39

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            terryvdgriend Terry van der Griend
            Votes:
            2 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated: