Dependencies Check with Jenkins
OWASP Dependency-Check Plugin was recently updated from version 4.x to version 5.x introducing breaking changes for our Jenkins pipelines.
After upgrading the plugin, create a new Dependency-Check installation in the Global tools configuration of your Jenkins instance:
We have a Jenkins job running every day which sole purpose is to update the NVD database.
As it was not a pipeline job we had to reconfigure it from the UI.
Next we had to change all our pipeline script for checking and publishing results of dependencies checks:
- Checking
Changed from
dependencyCheckAnalyzer datadir: ‘/home/jenkins/security/owasp-nvd/’, hintsFile: ‘’, includeCsvReports: false, includeHtmlReports: true, includeJsonReports: true, includeVulnReports: true, isAutoupdateDisabled: true, outdir: ‘build/owasp’, scanpath: ‘’, skipOnScmChange: false, skipOnUpstreamChange: false, suppressionFile: ‘’, zipExtensions: ‘’
to
sh(‘mkdir -p build/owasp’)
dependencycheck additionalArguments: '--project plastinforme --scan ./ --data /home/jenkins/security/owasp-nvd/ --out build/owasp/dependency-check-report.xml --format XML', odcInstallation: 'Dependency Checker'
- publishing results
Changed from
dependencyCheckPublisher canComputeNew: false, defaultEncoding: '', healthy: '', pattern: 'build/owasp/dependency-check-report.xml', unHealthy: ''
to
dependencyCheckPublisher pattern: 'build/owasp/dependency-check-report.xml'