You are viewing a plain text version of this content. The canonical link for it is here.

Posted to builds@apache.org by Lukasz Lenart <lu...@apache.org> on 2017/10/13 12:43:38 UTC

OWAS Dependency Check

Hi,

Does anyone is using this plugin and have a Jenkins job running it?
https://www.owasp.org/index.php/OWASP_Dependency_Check


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

Re: OWAS Dependency Check

Posted by Lukasz Lenart <lu...@apache.org>.

2017-10-18 17:57 GMT+02:00 Tilman Hausherr <TH...@t-online.de>:
>> Do you fail a build when the plugin finds something?
>
> Yes:
>
>                     <plugin>
>                         <groupId>org.owasp</groupId>
> <artifactId>dependency-check-maven</artifactId>
>                         <version>2.1.0</version>
>                         <configuration>
> <failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
>                         </configuration>
>                         <executions>
>                             <execution>
>                                 <goals>
>                                     <goal>check</goal>
>                                 </goals>
>                             </execution>
>                         </executions>
>                     </plugin>

Great, thanks! I have decided to use
<failBuildOnCVSS>8</failBuildOnCVSS> to start with something :)


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

Re: OWAS Dependency Check

Posted by Tilman Hausherr <TH...@t-online.de>.

Am 18.10.2017 um 15:32 schrieb Lukasz Lenart:
> 2017-10-13 17:46 GMT+02:00 Tilman Hausherr <TH...@t-online.de>:
>> We use it for PDFBox in all builds as a maven plugin. The current version
>> 2.1.1 is over-sensitive compared to 2.1.0. The developer told me that this
>> will be fixed in 3.0.
> Do you fail a build when the plugin finds something?

Yes:

                     <plugin>
                         <groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
                         <version>2.1.0</version>
                         <configuration>
<failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
                         </configuration>
                         <executions>
                             <execution>
                                 <goals>
                                     <goal>check</goal>
                                 </goals>
                             </execution>
                         </executions>
                     </plugin>

Tilman

Re: OWAS Dependency Check

Posted by Lukasz Lenart <lu...@apache.org>.

2017-10-13 17:46 GMT+02:00 Tilman Hausherr <TH...@t-online.de>:
> We use it for PDFBox in all builds as a maven plugin. The current version
> 2.1.1 is over-sensitive compared to 2.1.0. The developer told me that this
> will be fixed in 3.0.

Do you fail a build when the plugin finds something?


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

Re: OWAS Dependency Check

Posted by Tilman Hausherr <TH...@t-online.de>.

Am 13.10.2017 um 14:43 schrieb Lukasz Lenart:
> Hi,
>
> Does anyone is using this plugin and have a Jenkins job running it?
> https://www.owasp.org/index.php/OWASP_Dependency_Check
>
>
> Regards


We use it for PDFBox in all builds as a maven plugin. The current 
version 2.1.1 is over-sensitive compared to 2.1.0. The developer told me 
that this will be fixed in 3.0.

Tilman

Re: OWAS Dependency Check

Posted by Marshall Schor <ms...@schor.com>.

As an experiment, I added a profile (not normally run) to run this on one of our
builds, just to see what it would produce.

It seemed to work OK.

Not currently running this in Jenkins.

-Marshall Schor

On 10/13/2017 8:43 AM, Lukasz Lenart wrote:
> Hi,
>
> Does anyone is using this plugin and have a Jenkins job running it?
> https://www.owasp.org/index.php/OWASP_Dependency_Check
>
>
> Regards