You are viewing a plain text version of this content. The canonical link for it is here.
Posted to builds@apache.org by Lukasz Lenart <lu...@apache.org> on 2017/10/13 12:43:38 UTC
OWAS Dependency Check
Hi,
Does anyone is using this plugin and have a Jenkins job running it?
https://www.owasp.org/index.php/OWASP_Dependency_Check
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
Re: OWAS Dependency Check
Posted by Lukasz Lenart <lu...@apache.org>.
2017-10-18 17:57 GMT+02:00 Tilman Hausherr <TH...@t-online.de>:
>> Do you fail a build when the plugin finds something?
>
> Yes:
>
> <plugin>
> <groupId>org.owasp</groupId>
> <artifactId>dependency-check-maven</artifactId>
> <version>2.1.0</version>
> <configuration>
> <failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
> </configuration>
> <executions>
> <execution>
> <goals>
> <goal>check</goal>
> </goals>
> </execution>
> </executions>
> </plugin>
Great, thanks! I have decided to use
<failBuildOnCVSS>8</failBuildOnCVSS> to start with something :)
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
Re: OWAS Dependency Check
Posted by Tilman Hausherr <TH...@t-online.de>.
Am 18.10.2017 um 15:32 schrieb Lukasz Lenart:
> 2017-10-13 17:46 GMT+02:00 Tilman Hausherr <TH...@t-online.de>:
>> We use it for PDFBox in all builds as a maven plugin. The current version
>> 2.1.1 is over-sensitive compared to 2.1.0. The developer told me that this
>> will be fixed in 3.0.
> Do you fail a build when the plugin finds something?
Yes:
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>2.1.0</version>
<configuration>
<failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
Tilman
Re: OWAS Dependency Check
Posted by Lukasz Lenart <lu...@apache.org>.
2017-10-13 17:46 GMT+02:00 Tilman Hausherr <TH...@t-online.de>:
> We use it for PDFBox in all builds as a maven plugin. The current version
> 2.1.1 is over-sensitive compared to 2.1.0. The developer told me that this
> will be fixed in 3.0.
Do you fail a build when the plugin finds something?
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
Re: OWAS Dependency Check
Posted by Tilman Hausherr <TH...@t-online.de>.
Am 13.10.2017 um 14:43 schrieb Lukasz Lenart:
> Hi,
>
> Does anyone is using this plugin and have a Jenkins job running it?
> https://www.owasp.org/index.php/OWASP_Dependency_Check
>
>
> Regards
We use it for PDFBox in all builds as a maven plugin. The current
version 2.1.1 is over-sensitive compared to 2.1.0. The developer told me
that this will be fixed in 3.0.
Tilman
Re: OWAS Dependency Check
Posted by Marshall Schor <ms...@schor.com>.
As an experiment, I added a profile (not normally run) to run this on one of our
builds, just to see what it would produce.
It seemed to work OK.
Not currently running this in Jenkins.
-Marshall Schor
On 10/13/2017 8:43 AM, Lukasz Lenart wrote:
> Hi,
>
> Does anyone is using this plugin and have a Jenkins job running it?
> https://www.owasp.org/index.php/OWASP_Dependency_Check
>
>
> Regards