Jenkins : OWASP Dependency-Track Plugin

Plugin Information

View OWASP Dependency-Track on the plugin site for more information.

Older versions of this plugin may not be safe to use. Please review the following warnings before using an older version:


Dependency-Track is an intelligent Software Composition Analysis (SCA) platform that allows organizations to identify and reduce risk from the use of third-party and open source components. 

It integrates with multiple vulnerability databases including the National Vulnerability Database (NVD), NPM Public AdvisoriesSonatype OSS Index, and VulnDB from Risk Based Security. Dependency-Track monitors all applications in its portfolio in order to proactively identify vulnerabilities in components that are placing your applications at risk. Use of Dependency-Track can play a vital role in an overall Cyber Supply Chain Risk Management (C-SCRM) program by fulfilling many of the recommendations laid out by SAFECode.

Dependency-Track is designed to be used in an automated DevOps environment where software bill-of-material (S-BoM) formats are automatically ingested during CI/CD. Use of this plugin is highly recommended for this purpose and is well suited for use in Jenkins Pipeline. In such an environment, Dependency-Track enables your DevOps teams to accelerate while still keeping tabs on component usage and any inherited risk.

Plugin Description

The Dependency-Track Jenkins plugin aids in publishing CycloneDX and SPDX BoMs as well as Dependency-Check XML reports to the Dependency-Track platform.

Publishing BoMs can be performed asynchronously or synchronously.

Asynchronous publishing simply uploads the BoM to Dependency-Track and the job continues. Synchronous publishing waits for Dependency-Track to process the BoM after being uploaded. Synchronous publishing has the benefit of displaying interactive job trends and per build findings.

Job Configuration

Once configured with a valid URL and API key, simply configure a job to publish the artifact.

Dependency-Track project: Specifies the unique project ID to upload scan results to. This dropdown will be automatically populated with a list of projects.

Artifact: Specifies the file to upload. Paths are relative from the Jenkins workspace.

Artifact Type: Options are:

  • Software Bill of Material (CycloneDX or SPDX)
  • Dependency-Check Scan Result (XML)

Synchronous mode: Uploads a BoM to Dependency-Track and waits for Dependency-Track to process and return results. The results returned are identical to the auditable findings but exclude findings that have previously been suppressed. Analysis decisions and vulnerability details are included in the response. Synchronous mode is possible with Dependency-Track v3.3.1 and higher.

When Synchronous mode is enabled, thresholds can be defined which can optionally put the job into an UNSTABLE or FAILURE state.

Total Findings: Sets the threshold for the total number of critical, high, medium, or low severity findings allowed. If the number of findings equals or is greater than the threshold for any one of the severities, the job status will be changed to UNSTABLE or FAILURE.

New Findings: Sets the threshold for the number of new critical, high, medium, or low severity findings allowed. If the number of new findings equals or is greater than the previous builds finding for any one of the severities, the job status will be changed to UNSTABLE or FAILURE.

Global Configuration

To setup, navigate to Jenkins > System Configuration and complete the Dependency-Track section.

External Resources

Version History

Version 2.1.0 (January 22, 2019)

  • Added support for risk gate thresholds which can optionally put the job into an UNSTABLE or FAILURE state upon meeting the defined threshold
  • Fixed issue that could lead to infinite polling in synchronous mode
  • Added configurable polling timeout defaulting to 5 minutes
  • Fixed drop-down bug which could result in BOMs being uploaded to the wrong project
  • Minor enhancements to console output

Version 2.0.2 (November 22, 2018)

  • Corrected issue that ignored the suppression state of findings resulting in suppressed findings being treated as non-suppressed findings

Version 2.0.1 (November 14, 2018)

  • Corrected issue that resulted in a JSON exception when uploading Dependency-Check XML reports or when uploading to Dependency-Track v3.3.0 and earlier
  • Added check that will display the trending chart only if there is history to display
  • Added additional console logging if synchronous mode was enabled but the artifact was not a supported BoM format

Version 2.0.0 (November 13, 2018)

  • Added support for synchronous publishing mode, interactive findings, graphs, and trends (requires Dependency-Track v3.3.1 or higher)

Version 1.1.1 (October 25, 2018)

  • Fixed issue that prevented project dropdown from displaying more than 100 projects

Version 1.1.0 (October 18, 2018)

  • Added global option to auto-create project on upload. Requires Dependency-Track v3.1.0 or higher and the PROJECT_CREATION_UPLOAD permission.
  • Enhanced global configuration with Test Connection functionality to confirm network and authentication and authorization validity

Version 1.0.0 (September 17, 2018)