Due to some maintenance issues, this service has been switched in read-only mode, you can find more information about the why

and how to migrate your plugin documentation in this blogpost

Skip to end of metadata
Go to start of metadata

Plugin Information

View OWASP Dependency-Check on the plugin site for more information.

Older versions of this plugin may not be safe to use. Please review the following warnings before using an older version:

This plugin can analyze dependencies and generate trend reports for Dependency-Check, an open source utility that detects known vulnerabilities in project dependencies.

Description

Dependency-Check is an open source utility that identifies project dependencies and identifies if there are any known, publicly disclosed, vulnerabilities. This tool can be part of the solution to the OWASP Top 10: Using Components with Known Vulnerabilities. 

The Dependency-Check Jenkins Plugin features the ability to perform a dependency analysis build and later view results post build. 

Usage

The plugin has three main components: a globally defined tool configuration, a builder, and a publisher.


Global Tool Configuration

One or more Dependency-Check versions can be installed via the Jenkins Global Tool Configuration. The installation of Dependency-Check can be performed automatically, which will download and extract the official Command-Line Interface (CLI) from Bintray, or an official distribution can be installed manually and the path to the installation referenced in the configuration.



Builder

The builder performs an analysis using one of the pre-defined Dependency-Check CLI installations. Configuration specific to Jenkins is minimal, with important aspects of the job configuration being the 'Arguments' field, which is sent directly to the CLI installation defined. 



Publisher

The publisher works independently of the tool configuration or builder and is responsible for reading dependency-check-report.xml and generating metrics, trends, findings, and optionally failing the build or putting it into a warning state based on configurable thresholds. 



When a job has the publisher configured, a trending chart will display the total number of findings grouped by severity.



The chart is interactive. Hovering over a build will display high-level severity information.



Per-build results may be viewed. Findings are displayed in an interactive table which can be sorted, searched on, and paginated through. Each findings can be expanded to reveal additional details.




Version History

Version 5.0.2 (July 12, 2019)

  • Changed the default artifact pattern to **/dependency-check-report.xml
  • Fixed issue that prevented risk gate thresholds from being evaluated when a previous build or result did not exist

Version 5.0.1 (July 8, 2019)

  • Fixed issue in publisher which prevented the saving and use of XML report patterns other than the default
  • Added check to publisher which puts build into warning state if no reports are found

Version 5.0.0 (July 7, 2019)

  • Complete rewrite ported from OWASP Dependency-Track Plugin
  • Utilizes Jenkins Global Tool Configuration and automatically installs Dependency-Check CLI if necessary
  • Multiple versions of Dependency-Check can be executed at the same time
  • Jobs can be configured to always use the latest version of Dependency-Check, or can specify exactly which version to use
  • Jenkins plugin will no longer need updating upon every Dependency-Check release. It now has an independent release schedule
  • Jobs now have full control over every configurable option
  • Publisher parses Dependency-Check XML reports generated from Dependency-Check v5.0 and higher
  • Dynamic and interactive trends and results
  • Not compatible with previous versions (refer to v5 migration wiki)

Version 4.0.2 (January 1, 2019)

  • Updated core to Dependency-Check v4.0.2

Version 4.0.1 (December 17, 2018)

  • Added support for non-proxy hosts as defined in the Jenkins proxy settings
  • Updated core to Dependency-Check v4.0.1

Version 4.0.0 (November 21, 2018)

  • Updated core to Dependency-Check v4.0.0

Version 3.3.4 (October 28, 2018)

  • Updated core to Dependency-Check v3.3.4

Version 3.3.3 (October 27, 2018) - NOT RELEASED

  • Removed support for legacy NSP analyzer
  • Added support for Node Audit analyzer
  • Updated core to Dependency-Check v3.3.3
  • Minor corrections to parser (vulnerability source) and jelly templates

Version 3.3.2 (September 16, 2018)

  • Updated core to Dependency-Check v3.3.2

Version 3.3.1 (August 6, 2018)

  • Added NuGet config analyzer
  • Updated core to Dependency-Check v3.3.1

Version 3.3.0 (July 23, 2018)

  • Added Artifactory, MSBuild Project, and Retire.js analyzers
  • Added plugin as a 'buildPlugin' for Jenkins pipeline
  • Corrected issue that may have caused the number of new and fixed issues to be reported incorrectly
  • Fixed issue with Dependency-Track publisher that failed if artifact was blank
  • Fixed internal issue with Engine closing
  • Updated core to Dependency-Check v3.3.0

Version 3.2.1 (May 28, 2018)

  • Updated core to Dependency-Check v3.2.1

Version 3.2.0 (May 21, 2018)

  • Updated core to Dependency-Check v3.2.0
  • Updated analysis-core to v1.94
  • Updated token-macro to v2.1

Version 3.1.2.1 (May 2, 2018)

  • Fixed issue that resulted in the Dependency-Track publisher failing on slave nodes
  • Enhanced online help when configuring jobs which describes permissions required in Dependency-Track
  • Relaxed URL format for Dependency-Track. Will ignore trailing slash if present.

Version 3.1.2 (April 2, 2018)

  • Updated core to Dependency-Check v3.1.2
  • Added links to CWEs in report console
  • Added additional links to CVEs in fixed and warnings tabs
  • Added option to disable Node Package Manager analyzer

Version 3.1.1 (January 28, 2018)

  • Updated core to Dependency-Check v3.1.1
  • Updated Jenkins parent to use modern pom (thanks CloudBees)
  • Updated Java version requirement to Java 8
  • Added software bill-of-material (CycloneDX and SPDX) support to Dependency-Track publisher

Version 3.1.0 (January 4, 2018)

  • Disabled Ruby Bundler Analyzer by default
  • Fixed issue that prevented publishing to Dependency-Track when project did not have a version
  • Updated core to Dependency-Check v3.1.0
  • Updated analysis-core to v1.88
  • Minor spelling and labeling changes

Version 3.0.2 (November 14, 2017)

  • Updated core to Dependency-Check v3.0.2

Version 3.0.1 (October 19, 2017)

  • Updated core to Dependency-Check v3.0.1

Version 3.0.0 (October 15, 2017)

  • Fixed serialization issue that prevented Dependency-Track Publisher from running on slave nodes
  • Removed legacy Node.js analyzer
  • Updated core to Dependency-Check v3.0.0

Version 2.1.1 (August 25, 2017)

  • Added Groovy syntax support when defining pipeline jobs
  • Fixed defect that prevented pipeline execution from properly executing on slave nodes
  • Updated core to Dependency-Check v2.1.1

Version 2.1.0 (July 23, 2017)

  • Updated core to Dependency-Check v2.1.0

Version 2.0.1.2 (July 20, 2017)

  • Fixed XSS vulnerability - SECURITY-577

Version 2.0.1.1 (July 10, 2017)

  • Fixed defect that caused NPE when the publisher step parsed Dependency-Check XML reports containing suppressions

Version 2.0.1 (July 6, 2017)

  • Updated core to Dependency-Check v2.0.1

Version 2.0.0 (July 3, 2017)

  • Updated core to Dependency-Check v2.0.0
  • Updated analysis-core to v1.86
  • Added support for Node Security Platform
  • Added Jenkins Pipeline support to all builders
  • Added finer controler over optional HTML, JSON, and CSV reports to generate
  • Added ability to publish Dependency-Check results to Dependency-Track v3
  • Enhancements to user interface
  • Fixed bug that prevented updateOnly builder from using external database
  • Fixed bug that failed to mask password when using external database

Version 1.4.5 (January 23, 2017)

  • Updated core to Dependency-Check v1.4.5
  • Updated analysis-core to v1.80
  • Minor modifications to Python configuration
  • Added support for Ruby Bundler analyzer
  • Added support for hints file
  • Fixed null pointer exception

Version 1.4.4 (November 5, 2016)

  • Updated core to Dependency-Check v1.4.4
  • Added global data directory option (with local override)
  • Fixed null pointer exception

Version 1.4.3 (September 6, 2016)

  • Updated core to Dependency-Check v1.4.3
  • Added CocoaPods analyzer support
  • Added Swift Package Manager analyzer support

Version 1.4.2 (July 31, 2016)

  • Updated core to Dependency-Check v1.4.2

Version 1.4.1 (July 31, 2016)

  • Updated core to Dependency-Check v1.4.1
  • Updated analysis-core to v1.79
  • Java 7 or higher is now a requirement - Version checking implemented
  • Corrected description in verbose logging help
  • Added XSS prevention missing on three files

Version 1.4.0 (June 16, 2016)

  • Separated out standard and experimental analyzers in global config
  • Added optional external database configuration options to global config
  • Updated core to Dependency-Check v1.4.0
  • Updated analysis-core to v1.78

Version 1.3.6 (April 10, 2016)

  • Updated core to Dependency-Check v1.3.6

Version 1.3.5 (March 5, 2016)

  • Updated core to Dependency-Check v1.3.5
  • Updated analysis-core to v1.76

Version 1.3.4 (February 1, 2016)

  • Updated core to Dependency-Check v1.3.4
  • Updated analysis-core to v1.75

Version 1.3.3 (December 11, 2015)

  • Updated core to Dependency-Check v1.3.3

Version 1.3.2 (November 29, 2015)

  • Updated core to Dependency-Check v1.3.2

Version 1.3.1.2 (November 13, 2015)

  • Fixed relative (to workspace) path resolution for suppression files

Version 1.3.1.1 (November 10, 2015)

  • Fixed regression that prevented suppression files from being honored

Version 1.3.1 (September 21, 2015)

  • Added RubyGem analyzer support
  • Added PHP Composer lock analyzer support
  • Added Node.js analyzer support
  • Added support for Jenkins Workflow plugin (thanks CloudBees)
  • Removed Javascript analyzer support
  • Updated dashboard-view plugin to 2.9.6
  • Updated analysis-core to v1.74
  • Updated core to Dependency-Check v1.3.1

Version 1.3.0 (August 5, 2015)

  • Added Autoconf analyzer support
  • Added CMake analyzer support
  • Added OpenSSL analyzer support
  • Added QuickQuery Timestamp option to global config
  • Added support for token-macro plugin
  • Added support for dashboard-view plugin
  • CVSS attributes now popup when hovering over CVSS score in details view
  • Updated analysis-core to v1.72
  • Updated core to Dependency-Check v1.3.0
  • Bug fixes

Version 1.2.11.1 (June 10, 2015)

  • Fixed defect introduced in 1.2.11 that prevented execution on slave nodes

Version 1.2.11 (May 12, 2015)

  • Added Python analyzer support
  • Added new builder (build step) that can perform an NVD update only
  • Updated analysis-core to v1.71
  • Updated core to Dependency-Check v1.2.11
  • Minor refactoring to minimize DRY

Version 1.2.10 (April 12, 2015)

  • Updated core to Dependency-Check v1.2.10

Version 1.2.9 (March 6, 2015)

  • Updated core to Dependency-Check v1.2.9
  • Added warning if the Maven Central or Nexus analyzer are disabled
  • Added option to bypass Jenkins proxy configuration when downloading NVD feed
  • Updated analysis-core to v1.69
  • Changed label names on tabs

Version 1.2.8 (December 28, 2014)

  • Updated core to Dependency-Check v1.2.8
  • Minor code cleanup

Version 1.2.7.1 (December 28, 2014)

  • Reverted previous serialization changes

Version 1.2.7 (December 8, 2014)

  • Updated core to Dependency-Check v1.2.7
  • Optimized serialization required for slave execution

Version 1.2.6 (November 16, 2014)

  • Updated core to Dependency-Check v1.2.6
  • Updated analysis-core to v1.65
  • Added support for Maven Central analyzer

Version 1.2.5 (September 16, 2014)

  • Updated core to Dependency-Check v1.2.5
  • Support for Ant-style patterns added to scan path configuration

Version 1.2.4 (August 5, 2014)

  • Updated core to Dependency-Check v1.2.4

Version 1.2.3.2 (July 7, 2014)

  • Refactored experimental Maven artifact analysis
  • Fixed display issued on details tab that may display incorrect path

Version 1.2.3.1 (July 1, 2014)

  • Fixed UI defect that prevented plugin from being configured in some circumstances

Version 1.2.3 (June 27, 2014)

  • Updated core to Dependency-Check v1.2.3

Version 1.2.2 (June 23, 2014)

  • Updated core to Dependency-Check v1.2.2
  • Updated analysis-core to v1.57
  • Added experimental support for Maven artifact analysis in Maven jobs
  • Added global configuration for analyzers and temporary directory

Version 1.2.1 (May 10, 2014)

  • Updated core to Dependency-Check v1.2.1

Version 1.2.0 (April 28, 2014)

  • Updated core to Dependency-Check v1.2.0
  • Fixed defect that could result in a circular dependency

Version 1.1.4.1 (April 15, 2014)

  • 1.1.4 did not release properly due to bug in Maven Release Plugin. This is a re-release of 1.1.4 using M-R-P v2.5

Version 1.1.4 (March 30, 2014)

  • Updated core to Dependency-Check v1.1.4
  • Updated analysis-core to v1.56
  • Added URL support for suppression files
  • Fixed bug that prevented workspace from being cleaned up due to H2 lock files in use
  • Fixed defect in details view that prevented certain details from displaying if a CWE was not associated with a vulnerability
  • Default filename for XML reports has changed

Version 1.1.3 (March 11, 2014)

  • Updated core to Dependency-Check v1.1.3

Version 1.1.2 (March 3, 2014)

  • Updated core to Dependency-Check v1.1.2
  • Updated analysis-core to v1.55
  • Added per-build configurable support for additional zip extensions
  • Added global Nexus analyzer proxy bypass setting
  • Added global Mono path configuration

Version 1.1.1.2 (February 9, 2014)

  • Added per job configurable option to skip Dependency-Check analysis if job is triggered by an upstream change

Version 1.1.1.1 (February 8, 2014)

  • Added per job configurable option to skip Dependency-Check analysis if job is triggered by SCM change

Version 1.1.1 (January 30, 2014)

  • Updated core to Dependency-Check v1.1.1

Version 1.1.0 (January 26, 2014)

  • Updated core to Dependency-Check v1.1.0
  • Changed license from GPLv3 to Apache 2.0

Version 1.0.8 (January 18, 2014)

  • Updated core to Dependency-Check v1.0.8
  • Added global configuration options for Nexus analyzer
  • Removed restriction that confined data directory to workspace
  • Support for shared data directory (per node)

Version 1.0.7 (December 3, 2013)

  • Updated core to Dependency-Check v1.0.7
  • Added support for suppression file in build step

Version 1.0.6 (not published)

Version 1.0.5 (November 16, 2013)

  • Updated core to Dependency-Check v1.0.5
  • Updated analysis-core to v1.54
  • Added support for proxy authentication
  • Fixed bug that allowed a build to pass if invalid scan path was specified

Version 1.0.4.1 (October 31, 2013)

  • Added ability to use mirrored NIST CPE/CVE data. Refer to nist-data-mirror for a simple tool to mirror NIST data
  • Added partial proxy server support. The core currently supports hostname and port parameters

Version 1.0.4 (October 22, 2013)

  • Updated core to Dependency-Check v1.0.4
  • Added configurable option to enable verbose logging when using the build step

Version 1.0.3 (October 14, 2013)

  • Updated core to Dependency-Check v1.0.3
  • Added configurable option to generate standalone HTML reports in output directory

Version 1.0.2 (September 4, 2013)

  • Updated core to Dependency-Check v1.0.2

Version 1.0.1.1 (August 30, 2013)

  • Removed unnecessary dependency that may cause classpath issues

Version 1.0.1 (August 2, 2013)

  • Initial public release

Sponsors

Development of Dependency-Check Jenkins Plugin prior to v3.0.3 was sponsored in part by Axway.


23 Comments

  1. Unknown User (oleg_nenashev)

    "dependency-check-jenkins-plugin" artifactId is quite confusing. BTW, there's no way back :(

  2. Unknown User (jhack)

    In which way should I configure the plugin in a Maven multi-module project?

    Using a post-build step with the default configuration only two "random" vulnerabilities are found, while if I execute manually "mvn org.owasp:dependency-check-maven:check" from the base of the mult-module project a report is created for each module.

  3. Unknown User (jandry)

    Hi,

    I successfully generate the dependency check report in my root workspace folder, but I'm not able to publish the analysis results. The "Publish OWASP Dependency-Check" is not availbale in my post build action. Is there something to turn on somewhere ?

    I'm using jenkins 1.651.1 and OWASP Dependency-Check Plugin 1.3.6, Static Analysis Utilities 1.76 and Dashboard View 2.9.7

    I certainly miss something

    Regards,

  4. Unknown User (oswaldo)

    Hello,

    Small suggestion here: the description should be updated to better reflect the scope of this plugin. I believe specially this part:

    Dependency-Check is able to identify Java and Python components along with .NET assemblies

    Could be changed to something like:

    Dependency-Check is able to identify Java, Ruby, PHP, JavaScript, Python components along with .NET assemblies and others

    Or even a table indicating what is supported.

    Cheers,
    Oswaldo

    1. Unknown User (sspringett)

      I like your suggestion. I'm updating the wiki today and will update the sentence and add a table.

  5. Unknown User (boly38)

    Hi. Recently I upgrad plugin from 1.4.5 to 2.1.0 (not sure it's related) but I got the following error:

    16:30:15 [DependencyCheck] One or more exceptions were thrown while executing Dependency-Check
    16:30:15 [DependencyCheck] Exception Caught: org.owasp.dependencycheck.analyzer.exception.AnalysisException
    16:30:15 [DependencyCheck] Cause: connect timed out
    16:30:15 [DependencyCheck] Message: connect timed out

    Does exist a way to get more details on what's wrong ? I'm unable to fix this issue. Thanks
    1. Unknown User (sspringett)

      The wiki isn't the place for support issues. Please create a JIRA ticket at https://issues.jenkins-ci.org/

      1. Unknown User (boly38)

        Done, thanks for the tips.

  6. Unknown User (hankwang)

    Hi,

    After I updated to 3.0.1, my build always got failed, as follows,

    11:02:00 [DependencyCheck] Exception Caught: org.owasp.dependencycheck.analyzer.exception.AnalysisException
    11:02:00 [DependencyCheck] Cause: Finally failed connecting to Central search. Giving up after 5 tries.
    11:02:00 [DependencyCheck] Message: Could not connect to Central search. Analysis failed.
    11:02:00 [DependencyCheck] org.owasp.dependencycheck.analyzer.exception.AnalysisException: Could not connect to Central search. Analysis failed.
    11:02:00 [DependencyCheck] 	at org.owasp.dependencycheck.analyzer.CentralAnalyzer.analyzeDependency(CentralAnalyzer.java:244)
    11:02:00 [DependencyCheck] 	at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:137)
    11:02:00 [DependencyCheck] 	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
    11:02:00 [DependencyCheck] 	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
    11:02:00 [DependencyCheck] 	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    11:02:00 [DependencyCheck] 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    11:02:00 [DependencyCheck] 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    11:02:00 [DependencyCheck] 	at java.lang.Thread.run(Thread.java:748)
    11:02:00 [DependencyCheck] Caused by: java.io.IOException: Finally failed connecting to Central search. Giving up after 5 tries.
    11:02:00 [DependencyCheck] 	at org.owasp.dependencycheck.analyzer.CentralAnalyzer.fetchMavenArtifacts(CentralAnalyzer.java:288)
    11:02:00 [DependencyCheck] 	at org.owasp.dependencycheck.analyzer.CentralAnalyzer.analyzeDependency(CentralAnalyzer.java:198)
    11:02:00 [DependencyCheck] 	... 7 more
    11:02:00 [DependencyCheck] Caused by: java.io.IOException: Could not connect to MavenCentral (400): Bad Request
    11:02:00 [DependencyCheck] 	at org.owasp.dependencycheck.data.central.CentralSearch.searchSha1(CentralSearch.java:181)
    11:02:00 [DependencyCheck] 	at org.owasp.dependencycheck.analyzer.CentralAnalyzer.fetchMavenArtifacts(CentralAnalyzer.java:266)
    11:02:00 [DependencyCheck] 	... 8 more

     

    Can anyone help?

    Thanks

  7. Unknown User (eska_muc)

    At Unknown User (hankwang): Have the same issue and created an JIRA-Issue JENKINS-47991

    1. Unknown User (hankwang)

      Thanks a lot!

  8. Unknown User (eska_muc)

    Unknown User (hankwang) Perhaps you could vote for the issue in JIRA to increase the probability that it will be fixed.

  9. We'd love to configure the owasp plugin via jenkins with an additional 'exclude' argument.

    Reason: Currently we want to run owasp check via all subprojects matching a given pattern (e.g. *-app), but not for a single project matching the same pattern (e.g. 34-app).

    Alternative: We configure each of the desired 32 subprojects manually in jenkins configuration - e.g.: Path to scan: 1-app, 2-app, 3-app, ... 32-app

    Is this possible ?

  10. Unknown User (sspringett)

    Currently not possible. Feel free to create an enhancement request in JIRA https://issues.jenkins-ci.org

    If the app is a modular Maven or Gradle project, those build plugins should be used to perform the scanning, not Jenkins. Jenkins can both scan as well as visualize and publish results, but it can publish results from all other Dependency-Check components as well (ant, maven, gradle, command-line, etc).

    If the app is a big monolithic app without the support of a build system that supports modules, it might make sense to use the command-line utility to create the XML reports for the projects you want and the Jenkins plugin (publisher step only) to read in the results. The method of scanning between the Jenkins plugin and command-line utility are nearly identical.

    1. Thanks a lot for your response. Currently we do what you suggested: we generate the owasp report via our buildsystem and publish the results in Jenkins.

      Doing all this via Jenkins only seemed quite interesting to us.

  11. Unknown User (antarion)

    Dependency Check doesn't throw an error when it fails. It sets the build result to failure but doesn't throw an error. 

    [DependencyCheck]

    [Pipeline] }

    [Pipeline] // stage
    [Pipeline] stage
    [Pipeline] { (publish_Check_Analyzer)
    [Pipeline] dependencyCheckPublisher
    [DependencyCheck] Skipping publisher since build result is FAILURE
    [Pipeline] }
    [Pipeline] // stage
    [Pipeline] stage
    [Pipeline] { (deploy)
    [Pipeline] sh

     

    As you can see the step is successful. But the job isn't. And every steps are shown as successful. 

     

    Thanks for your help.

  12. Unknown User (rudy_mu)

    Hi, 

    I've an issue concerning download NVD CVE Data due to proxy setting. I'm using Jenkins 2.104 and OWASP Dependency-Check 3.1.1

    If I use proxy setting, it looks like it uses the proxy setting as it is shown in log file but I can't download this NVD CVE Data

    [DependencyCheck] -proxyServer = XXXXXX
    [DependencyCheck] -proxyPort = XXXXX
    [DependencyCheck] -proxyUsername = XXX
    [DependencyCheck] -proxyPassword = ********
    [DependencyCheck] -isQuickQueryTimestampEnabled = true
    [DependencyCheck] -jarAnalyzerEnabled = true
    [DependencyCheck] -nspAnalyzerEnabled = true

     

    But if I run in CLI it works fine

    sh dependency-check.sh -l abc.log --proxyserver XXXX --proxyport XXXX --updateonly

     

    I'd really appreciate if you could help me ?

    Thanks

     

    Below is the error message

    ---------------------------------------------------------------------------------------------------

    15:17:05 [DependencyCheck] Analyzing Dependencies
    15:17:06 [DependencyCheck] One or more exceptions were thrown while executing Dependency-Check
    15:17:06 [DependencyCheck] Exception Caught: org.owasp.dependencycheck.data.update.exception.UpdateException
    15:17:06 [DependencyCheck] Cause: java.util.concurrent.ExecutionException: org.owasp.dependencycheck.utils.DownloadFailedException: Error making HTTP GET request.
    15:17:06 [DependencyCheck] Message: Unable to download the NVD CVE data.
    15:17:06 [DependencyCheck] org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to download the NVD CVE data.
    15:17:06 [DependencyCheck] 	at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:130)
    15:17:06 [DependencyCheck] 	at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:889)
    15:17:06 [DependencyCheck] 	at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:716)
    15:17:06 [DependencyCheck] 	at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:642)
    15:17:06 [DependencyCheck] 	at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.executeDependencyCheck(DependencyCheckExecutor.java:172)
    15:17:06 [DependencyCheck] 	at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.call(DependencyCheckExecutor.java:103)
    15:17:06 [DependencyCheck] 	at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.call(DependencyCheckExecutor.java:46)
    15:17:06 [DependencyCheck] 	at hudson.remoting.UserRequest.perform(UserRequest.java:210)
    15:17:06 [DependencyCheck] 	at hudson.remoting.UserRequest.perform(UserRequest.java:53)
    15:17:06 [DependencyCheck] 	at hudson.remoting.Request$2.run(Request.java:358)
    15:17:06 [DependencyCheck] 	at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72)
    15:17:06 [DependencyCheck] 	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    15:17:06 [DependencyCheck] 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    15:17:06 [DependencyCheck] 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    15:17:06 [DependencyCheck] 	at java.lang.Thread.run(Thread.java:748)
    15:17:06 [DependencyCheck] Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: java.util.concurrent.ExecutionException: org.owasp.dependencycheck.utils.DownloadFailedException: Error making HTTP GET request.

    --------------------------------------------------------------------

    IO Exception: GET request returned a non-200 status code
    
    Exception details
    org.owasp.dependencycheck.utils.DownloadFailedException: GET request returned a non-200 status code
    	at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:273)
    	at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:235)
    	at org.owasp.dependencycheck.data.update.NvdCveUpdater$TimestampRetriever.call(NvdCveUpdater.java:507)
    	at org.owasp.dependencycheck.data.update.NvdCveUpdater$TimestampRetriever.call(NvdCveUpdater.java:480)
    	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    	at java.lang.Thread.run(Thread.java:748)
    
    1. Unknown User (sspringett)

      The NVD changed their URLs in the past week and the Dependency-Check team responded with a new release which fixes the issue. Ensure you're using v3.1.2. There are many tickets for this on the GitHub project. If you continue to have issues, please create a JIRA ticket (for Jenkins-specific issues) or a GitHub issue for all other issues.

  13. Unknown User (chandan)

    Does the plugin works with Jenkinsfile. If yes can you provide an example or code snippet for that please.

    1. Unknown User (lakeend)

      Would also love example of use in pipeline.

      1. Unknown User (chandan)

        stage("Dependency Check") {
        dependencyCheckAnalyzer datadir: 'dependency-check-data', isFailOnErrorDisabled: true, hintsFile: '', includeCsvReports: false, includeHtmlReports: false, includeJsonReports: false, isAutoupdateDisabled: false, outdir: '', scanpath: '', skipOnScmChange: false, skipOnUpstreamChange: false, suppressionFile: '', zipExtensions: ''

        dependencyCheckPublisher canComputeNew: false, defaultEncoding: '', healthy: '', pattern: '', unHealthy: ''

        archiveArtifacts allowEmptyArchive: true, artifacts: '**/dependency-check-report.xml', onlyIfSuccessful: true
        }

        found this and it works

  14. Unknown User (saucistophe)

    I've successfully run it, but it takes forever for a single package.json JS dependency file.

    Below are the logs, everything is fine, but the "[DependencyCheck] Analyzing Dependencies" takes forever.

     Logs

    [Pipeline] dependencyCheckAnalyzer

    [DependencyCheck] OWASP Dependency-Check Plugin v4.0.0
    [DependencyCheck] Executing Dependency-Check with the following options:
    [DependencyCheck] -name = Test pipeline
    [DependencyCheck] -scanPath = /home/jenkins/workspace/Test pipeline/package.json
    [DependencyCheck] -scanPath = /home/jenkins/workspace/Test pipeline/package-lock.json
    [DependencyCheck] -outputDirectory = /home/jenkins/workspace/Test pipeline
    [DependencyCheck] -dataDirectory = /home/jenkins/workspace/Test pipeline/dependency-check-data
    [DependencyCheck] -dataMirroringType = none
    [DependencyCheck] -isQuickQueryTimestampEnabled = true
    [DependencyCheck] -jarAnalyzerEnabled = true
    [DependencyCheck] -nodePackageAnalyzerEnabled = true
    [DependencyCheck] -nodeAuditAnalyzerEnabled = true
    [DependencyCheck] -retireJsAnalyzerEnabled = true
    [DependencyCheck] -composerLockAnalyzerEnabled = true
    [DependencyCheck] -pythonDistributionAnalyzerEnabled = true
    [DependencyCheck] -pythonPackageAnalyzerEnabled = true
    [DependencyCheck] -rubyBundlerAuditAnalyzerEnabled = false
    [DependencyCheck] -rubyGemAnalyzerEnabled = true
    [DependencyCheck] -cocoaPodsAnalyzerEnabled = true
    [DependencyCheck] -swiftPackageManagerAnalyzerEnabled = true
    [DependencyCheck] -archiveAnalyzerEnabled = true
    [DependencyCheck] -assemblyAnalyzerEnabled = true
    [DependencyCheck] -msBuildProjectAnalyzerEnabled = true
    [DependencyCheck] -nuGetConfigAnalyzerEnabled = true
    [DependencyCheck] -nuspecAnalyzerEnabled = true
    [DependencyCheck] -centralAnalyzerEnabled = true
    [DependencyCheck] -nexusAnalyzerEnabled = false
    [DependencyCheck] -artifactoryAnalyzerEnabled = false
    [DependencyCheck] -autoconfAnalyzerEnabled = true
    [DependencyCheck] -cmakeAnalyzerEnabled = true
    [DependencyCheck] -opensslAnalyzerEnabled = true
    [DependencyCheck] -showEvidence = true
    [DependencyCheck] -formats = XML
    [DependencyCheck] -autoUpdate = true
    [DependencyCheck] -updateOnly = false
    [DependencyCheck] Data directory created
    [DependencyCheck] Scanning: /home/jenkins/workspace/Test pipeline/package.json
    [DependencyCheck] Scanning: /home/jenkins/workspace/Test pipeline/package-lock.json
    [DependencyCheck] Analyzing Dependencies
    [Pipeline] dependencyCheckPublisher
    [DependencyCheck] Collecting Dependency-Check analysis files...
    [DependencyCheck] Searching for all files in /home/jenkins/workspace/Test pipeline that match the pattern **/dependency-check-report.xml
    [DependencyCheck] Parsing 1 file in /home/jenkins/workspace/Test pipeline
    [DependencyCheck] Successfully parsed file /home/jenkins/workspace/Test pipeline/dependency-check-report.xml with 0 unique warnings and 0 duplicates.

    I run it in a pipelinewith the following:

    dependencyCheckAnalyzer datadir: '', hintsFile: '', includeCsvReports: false, includeHtmlReports: false, includeJsonReports: false, includeVulnReports: false, isAutoupdateDisabled: false, outdir: '', scanpath: './package.json, ./package-lock.json', skipOnScmChange: false, skipOnUpstreamChange: false, suppressionFile: '', zipExtensions: ''

    And I didn't touch the configuration. Any thoughts?

    Edit: The problem was that I didn't specify a global cache folder for the plugin, so it downloaded the whole shebang each time a new build was triggered. Now it works A-OK.

  15. Unknown User (vitaly_il)

    I see plugin's report into classic Jenkins UI, but not in Blue Ocean.

    Is this known issue or  I'm missing something?

    TIA,

    Vitaly