-
Bug
-
Resolution: Fixed
-
Major
-
None
-
Windows 2012 Server,
Jenkins 2.190.1,
Maven 3.6.0,
JDK 11.0.1
When upgrading the Dependency Check Plugin from version 4 to 5.2.2, we found the following problem.
We are using declarative pipeline scripts to run the Dependency Check Plugin. Formerly with version 4 we could use this setup for running the dependency check.
pipeline {
agent {
label 'master'
}
environment {
JAVA_HOME = tool 'jdk-11.0.1'
mvnHome = tool 'apache-maven-3.6.0'
PATH = "${JAVA_HOME}\\bin;${mvnHome}\\bin;${env.PATH}"
}
stages {
stage('Build sources') {
steps {
bat 'mvn clean verify -DskipTests'
}
}
stage('Analyze dependencies') {
dependencyCheckAnalyzer(outdir: 'Dependency-Check',
suppressionFile: 'owasp-suppressions.xml',
scanpath: '',
datadir: '',
hintsFile: '',
zipExtensions: '',
isAutoupdateDisabled: true,
skipOnScmChange: false,
skipOnUpstreamChange: false,
includeHtmlReports: true,
includeVulnReports: true,
includeJsonReports: false,
includeCsvReports: false)
}
}
}
}
This would run fine and reports were generated. So now with version 5.2.2 we have adjusted our pipeline script to be complaint with the new plugin.
pipeline {
agent {
label 'master'
}
environment {
JAVA_HOME = tool 'jdk-11.0.1'
mvnHome = tool 'apache-maven-3.6.0'
PATH = "${JAVA_HOME}\\bin;${mvnHome}\\bin;${env.PATH}"
}
stages {
stage('Build sources') {
steps {
bat 'mvn clean verify -DskipTests'
}
}
stage('Analyze dependencies') {
steps {
dependencyCheck(additionalArguments: '''
-d D:/OWASP/dependency-check-data
--noupdate
--suppression backend/owasp-suppressions.xml
-o Dependency-Check''',
odcInstallation: 'dependency-check-5.2.2')
}
}
}
}
When we run the pipeline with the script mentioned above, we get the following error.
[DependencyCheck] 'java' is not recognized as an internal or external command,
[DependencyCheck] operable program or batch file.
Which makes us suspect that the environment variable aren't passed properly.
- links to
