I have updated the OWASP dependency check plugin from version 1.3.1.2 to version 1.3.3 last week. Since the update, the plugin ignores the supressions which I have defined in the supressions file. Note, that unlike in
JENKINS-30023
, it seems to find the supressions file correctly, at least as far as I can tell from the logfile:
...
BUILD SUCCESSFUL
Total time: 35 minutes 42 seconds
[DependencyCheck] OWASP Dependency-Check Plugin v1.3.3
[DependencyCheck] Executing Dependency-Check with the following options:
[DependencyCheck] -name = Trunk_BuildInstaller
[DependencyCheck] -scanPath = C:\Jenkins\workspace\Trunk_BuildInstaller\TE\antbuild\PFiles
[DependencyCheck] -scanPath = C:\Jenkins\workspace\Trunk_BuildInstaller\TE\antbuild\PData
[DependencyCheck] -outputDirectory = C:\Jenkins\workspace\Trunk_BuildInstaller\TE\antbuild\test-reports\owasp
[DependencyCheck] -dataDirectory = /owasp-dependency-check-data
[DependencyCheck] -verboseLogFile = C:\Jenkins\workspace\Trunk_BuildInstaller\dependency-check.log
[DependencyCheck] -suppressionFile = C:\Jenkins\workspace\Trunk_BuildInstaller\TE\source\OWASP-Dependency-Check-Suppression.xml
[DependencyCheck] -zipExtensions = war,zip
[DependencyCheck] -dataMirroringType = none
[DependencyCheck] -isQuickQueryTimestampEnabled = true
[DependencyCheck] -useMavenArtifactsScanPath = false
[DependencyCheck] -jarAnalyzerEnabled = true
[DependencyCheck] -nodeJsAnalyzerEnabled = true
[DependencyCheck] -composerLockAnalyzerEnabled = true
[DependencyCheck] -pythonAnalyzerEnabled = true
[DependencyCheck] -rubyGemAnalyzerEnabled = true
[DependencyCheck] -archiveAnalyzerEnabled = true
[DependencyCheck] -assemblyAnalyzerEnabled = true
[DependencyCheck] -centralAnalyzerEnabled = true
[DependencyCheck] -nuspecAnalyzerEnabled = true
[DependencyCheck] -nexusAnalyzerEnabled = false
[DependencyCheck] -autoconfAnalyzerEnabled = true
[DependencyCheck] -cmakeAnalyzerEnabled = true
[DependencyCheck] -opensslAnalyzerEnabled = true
[DependencyCheck] -showEvidence = true
[DependencyCheck] -format = ALL
[DependencyCheck] -autoUpdate = true
[DependencyCheck] -updateOnly = false
[DependencyCheck] Scanning: C:\Jenkins\workspace\Trunk_BuildInstaller\TE\antbuild\PFiles
[DependencyCheck] Scanning: C:\Jenkins\workspace\Trunk_BuildInstaller\TE\antbuild\PData
[DependencyCheck] Analyzing Dependencies
[FINDBUGS] Collecting findbugs analysis files...
...
[FINDBUGS] Plug-in Result: Success - no threshold has been exceeded
[DependencyCheck] Collecting Dependency-Check analysis files...
[DependencyCheck] Finding all files that match the pattern TE/antbuild/test-reports/owasp/dependency-check-report.xml
[DependencyCheck] Parsing 1 file in C:\Jenkins\workspace\Trunk_BuildInstaller
[DependencyCheck] Successfully parsed file C:\Jenkins\workspace\Trunk_BuildInstaller\TE\antbuild\test-reports\owasp\dependency-check-report.xml with 32 unique warnings and 0 duplicates.
[DependencyCheck] Computing warning deltas based on reference build #2688
....
Notice, that I did not change anything to the configuration. It worked with 1.3.1.2 but does not in 1.3.3. Any Idea?
|