Re: OWASP Dependency-Check Plugin Configuration as Code

[Surjit Bains]

Here's a snippet from the end of our working JCaC yaml, we define it as a
global tool also...

tool:
  dependency-check:
installations:
- name: "5.3.2"
  properties:
  - installSource:
  installers:
  - dependencyCheckInstaller:
  id: "5.3.2"
  git:
installations:
- home: "git"
  name: "Default"


be sure to include the plugin  OWASP Dependency-Check Plugin
<https://plugins.jenkins.io/dependency-check-jenkins-plugin>> 5.1.1

regards

Surj

On Tue, 7 Apr 2020 at 18:42, RAJENDRA PRASAD 
wrote:

> What build tool you are using in project , if you are using maven or
> gradle it is pretty simple to configure dependency plugin as code.
> Add that plugin then those plugins will add additional tasks, run those
> tasks using build tool...
> you can trigger the tasks from shell prompt inside the job
>
>
>
>
>
> *Thanks and Regards,Rajendra Prasad Reddy Penumalli*
>
>
> On Tue, 7 Apr 2020 at 21:42, Jonerc  wrote:
>
>> Hi,
>>
>> I have been searching without success for any examples of configuring the
>> dependency-check plugin global tools settings via code.
>>
>> There requirement is fairly simple, add a Dependency-Check Installation
>> details in the Global Tools settings (Which comprises of 3 values, name,
>> version and whether to install automatically).
>>
>> We normally have bits of groovy to configure the various plugins we use
>> (and normally have to go searching through source code test to work out how
>> to do it), but for this particular one we are struggling.
>>
>> Any help much appreciated.
>>
>> Thanks.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Jenkins Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to jenkinsci-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/jenkinsci-users/9d5240e8-d7ee-4497-9801-5ef09e191fe1%40googlegroups.com
>> <https://groups.google.com/d/msgid/jenkinsci-users/9d5240e8-d7ee-4497-9801-5ef09e191fe1%40googlegroups.com?utm_medium=email_source=footer>
>> .
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-users/CAMrg02T_Sdg9KfN8nf-2aQc7a7x2dV3Gcn--N90HFRvh8VsEbg%40mail.gmail.com
> <https://groups.google.com/d/msgid/jenkinsci-users/CAMrg02T_Sdg9KfN8nf-2aQc7a7x2dV3Gcn--N90HFRvh8VsEbg%40mail.gmail.com?utm_medium=email_source=footer>
> .
>


-- 
Surjit Bains
e: surjit.ba...@gmail.com
m: 07966 161 302

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/CAMy1pK6s0NsG%3DYWeY0NKB6JX2jHnqrbu19EFr%3Dd2ZjxtZ4XGvw%40mail.gmail.com.

Re: OWASP Dependency-Check Plugin Configuration as Code

[RAJENDRA PRASAD]

What build tool you are using in project , if you are using maven or gradle
it is pretty simple to configure dependency plugin as code.
Add that plugin then those plugins will add additional tasks, run those
tasks using build tool...
you can trigger the tasks from shell prompt inside the job





*Thanks and Regards,Rajendra Prasad Reddy Penumalli*


On Tue, 7 Apr 2020 at 21:42, Jonerc  wrote:

> Hi,
>
> I have been searching without success for any examples of configuring the
> dependency-check plugin global tools settings via code.
>
> There requirement is fairly simple, add a Dependency-Check Installation
> details in the Global Tools settings (Which comprises of 3 values, name,
> version and whether to install automatically).
>
> We normally have bits of groovy to configure the various plugins we use
> (and normally have to go searching through source code test to work out how
> to do it), but for this particular one we are struggling.
>
> Any help much appreciated.
>
> Thanks.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-users/9d5240e8-d7ee-4497-9801-5ef09e191fe1%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/CAMrg02T_Sdg9KfN8nf-2aQc7a7x2dV3Gcn--N90HFRvh8VsEbg%40mail.gmail.com.

OWASP Dependency-Check Plugin Configuration as Code

[Jonerc]

Hi,

I have been searching without success for any examples of configuring the 
dependency-check plugin global tools settings via code.

There requirement is fairly simple, add a Dependency-Check Installation 
details in the Global Tools settings (Which comprises of 3 values, name, 
version and whether to install automatically). 

We normally have bits of groovy to configure the various plugins we use 
(and normally have to go searching through source code test to work out how 
to do it), but for this particular one we are struggling.

Any help much appreciated.

Thanks.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/9d5240e8-d7ee-4497-9801-5ef09e191fe1%40googlegroups.com.

JobDSL - OWASP Dependency-Check - Thresholds

[Nick Stolwijk]

Hello,

I've tried to configure the OWASP Dependency Check with the JobDSL, but it
seems the thresholds are not picked up. It looks like the JobDSL generates
the thresholds under an element in de config.xml, while the UI saves it
under the root element of the plugin.

I've used the following JobDSL configuration:

publishers {
dependencyCheck('target/dependency-check-report.xml') {
thresholds(
unstableTotal: [all: 0, high: 0, normal: 1, low: 0],
failedTotal: [all: 0, high: 1, normal: 0, low: 0],
unstableNew: [all: 0, high: 0, normal: 0, low: 0],
failedNew: [all: 0, high: 0, normal: 0, low: 0]
)
}
}

If I generate a job with this JobDSL the config.xml comes out as follows:




low

false
false
false

0
0
1
0
0
1
0
0
0
0
0
0
0
0
0
0

false
false
true
target/dependency-check-report.xml


If I use the UI to change the configuration, it gives me the following
config.xml:


1
1
1

false
false
target/dependency-check-report.xml


Did I do something wrong or is this a bug in the plugin?

With regards,

Nick Stolwijk

~~~ Try to leave this world a little better than you found it and, when
your turn comes to die, you can die happy in feeling that at any rate you
have not wasted your time but have done your best ~~~

Lord Baden-Powell

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/CAA9S6i6L4gTxzBDcC2nMMcd1yianpo7VqLPgZHAzZMVMfkzdew%40mail.gmail.com.

OWASP Dependency-Check

[mafiikaaa]

Hi,

I'm trying to run the OWASP Dependency-Check Plugin but with the local 
version of the NVD database. Unfortunately, when I put the database in the 
folder (as a gz lub xml files) and give it a link to Jenkins, Jenkins still 
claims that the database doesn't exist.
Does anyone know how to solve this?

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/5a60d34d-4369-4ef0-ab27-0ccb6ab3bb78%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Howto integrate OWASP dependency check plugin in Jenkins Pipeline ?

[childNo͡ . de]

hi,

I just gave it a try on
* jenkins 1.651.2
* Jenkins OWASP Dependency-Checker 1.4.5 
<https://plugins.jenkins.io/dependency-check-jenkins-plugin>
* HTML Publisher Plugin 1.11 <https://plugins.jenkins.io/htmlpublisher>

so, first of all: The example given is valid, and workin. The Jenkins OWASP 
Plugin lacks support of a pipeline DSL extension, so you are forced to work 
with this generic step notation.
see also 
https://github.com/jenkinsci/pipeline-plugin/blob/master/COMPATIBILITY.md

to see what you might set in the construction yard: you have to look at the 
code 
https://github.com/jenkinsci/dependency-check-plugin/blob/master/src/main/java/org/jenkinsci/plugins/DependencyCheck/DependencyCheckPublisher.java

since there is an empty constructor but a DataBoundSetter, the only perhaps 
working (optional) parameter is: pattern
step([
  $class: 'DependencyCheckPublisher'
  pattern: 'fix/path/custom-report-name.xml'
])

*UPDATE* you should have a look at 
http://jenkins.somewhatlocal.example.com/pipeline-syntax/
seems to, the plugin works with this code generator and even more settings 
are available!! Example:
step([
  $class: 'DependencyCheckPublisher',
  canComputeNew: false,
  defaultEncoding: '',
  healthy: '100',
  unHealthy: '0',
  pattern: 'fix/path/custom-report-name.xml',
  shouldDetectModules: true])


BTT
assuming you have had run the dependencyCheck in your project build step 
before (for me, using the gradle plugin:

while 
step([$class: 'DependencyCheckPublisher'])

results in an empy report on misconfiguration


telling me in console

[DependencyCheck] Searching for all files in /var/lib/jenkins/workspace/myBuild 
that match the pattern **/dependency-check-report.xml
[DependencyCheck] No files found. Configuration error?


so, at least working fine ;)


you might save the (default) HTML report by the HTML Publisher like:

publishHTML(target: [
reportDir   : 'build/reports',
reportFiles : 'dependency-check-report.html',
reportName  : 'OWASP Dependency Check',
allowMissing: true, alwaysLinkToLastBuild: true, keepAll: true])



to make 
step([$class: 'DependencyCheckPublisher'])
work, you need an XML output, for the gradle plugin you have to set


dependencyCheck {
failOnError = false
format = org.owasp.dependencycheck.reporting.ReportGenerator.Format.ALL
}


check for the relevant format options on your build site, ecpecially the 
format configuration.

Hope this helps for now ;)

~Marcel

Am Dienstag, 31. Januar 2017 04:04:38 UTC+1 schrieb Ramanathan Muthaiah:
>
> Hi ,
>
> After reading thru' OWASP dependency check plugin wiki and JIRA issues, I 
> could not find examples of simple usage of this plugin in Jenkins Pipeline 
> with the exception of this code snippet (sourced from one of the PR 
> conversations in this plugin's GH page):
>
> step([$class: 'DependencyCheckPublisher'])
>
> I would like to collect data from OWASP dependency check by scanning 
> mostly Python-ish codebase.
>
> Has anyone tried this combination i.e Jenkins Pipeline + OWASP dependency 
> check ?
>
> NOTE:
> There is not much documentation available here too, 
> https://github.com/jenkinsci/dependency-check-plugin
>
> Appreciate any pointers on this topic.
>
> /Ram
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/cffadb90-1330-482f-8d1d-a6135bd1765f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Howto integrate OWASP dependency check plugin in Jenkins Pipeline ?

[Ramanathan Muthaiah]

Hi ,

After reading thru' OWASP dependency check plugin wiki and JIRA issues, I 
could not find examples of simple usage of this plugin in Jenkins Pipeline 
with the exception of this code snippet (sourced from one of the PR 
conversations in this plugin's GH page):

step([$class: 'DependencyCheckPublisher'])

I would like to collect data from OWASP dependency check by scanning mostly 
Python-ish codebase.

Has anyone tried this combination i.e Jenkins Pipeline + OWASP dependency 
check ?

NOTE:
There is not much documentation available here too, 
https://github.com/jenkinsci/dependency-check-plugin

Appreciate any pointers on this topic.

/Ram

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/37bff32e-8128-4d14-ba26-b827bd99e7cf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

How to include post steps in jenkins for OWASP Dependency-Check

[Prakhash Sivakumar]

Hi all,
I'm following this 
<https://blog.dominikschadow.de/2015/07/using-owasp-dependency-check-as-jenkins-plugin/>
 tutorial 
to use OWASP Dependency-Check plugin as Jenkins plugin, I'm not clear about 
adding post steps and post build steps which are mentioned in this example, 
do I need to configure the OWASP Dependency-Check plugin for every job I 
work with ?

it would be great if anyone could suggest me any material where I can find 
proper documentation on this integration.

Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/fceb2305-f64f-4fe1-87ac-59f54499fcfd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

OWASP Dependency Check plugin DOA?

[Rob Mandeville]

When I am configuring a project and attempt to add a build step, one of the 
choices is Invoke OWASP Dependency-Check analysis.  When I select it, I do 
not get a new build step; nothing happens.

My stack is:
OWASP Dependency-check plugin 1.2.2
Jenkins 1.554 running as Windows service with no separate Web container
Windows 7 Pro SP1

I have not installed any OWASP software for the plugin to connect to; as it 
doesn't refer to one, I am guessing that the logic is in the plugin itself.  If 
I need to install other software, that information would be useful.

Any ideas?

Thanks in advance,

--Rob



This e-mail and the information, including any attachments it contains, are 
intended to be a confidential communication only to the person or entity to 
whom it is addressed and may contain information that is privileged. If the 
reader of this message is not the intended recipient, you are hereby notified 
that any dissemination, distribution or copying of this communication is 
strictly prohibited. If you have received this communication in error, please 
immediately notify the sender and destroy the original message.

Thank you.

Please consider the environment before printing this email.

-- 
You received this message because you are subscribed to the Google Groups 
Jenkins Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.