3

I am trying to add Dependency Check into my JenkinsFile without success.

Plugins Installation and configuration done.
Global Tool Configuration
Name : Vulnerability5
Install automatically (checked)
Version : dependency-check 5.2.4 

pipeline {

   agent any

    tools {
       nodejs "node8"
       dependency-check "vulnerability5"
    }

   stages {
       stage('Install Deps') {
        steps {
            //Install dependecies
            sh 'yarn install'
        }
      }
      stage('Dependency Check') {
        steps {
            // Run OWASP Dependency Check
            dependencyCheck additionalArguments: '-f "HTML, XML,CSV" -s .'
        }
      }
   }
}

adding the dependency check in tools is breaking the pipeline file. Any Idea of what I am missing?

Lii
  • 11,553
  • 8
  • 64
  • 88
Ibrahim
  • 73
  • 1
  • 5

1 Answers1

7

I use instruction like this and it works fine:

stages {
        stage ('OWASP Dependency-Check Vulnerabilities') {
            steps {
                dependencyCheck additionalArguments: ''' 
                    -o "./" 
                    -s "./"
                    -f "ALL" 
                    --prettyPrint''', odcInstallation: 'OWASP-DC'

                dependencyCheckPublisher pattern: 'dependency-check-report.xml'
            }
        }     
    }

odcInstallation: 'OWASP-DC' is preinstalled and configured plugin OWASP dependency check on my Jenkins

Yurko
  • 71
  • 1
  • Hopefully you can help more. I have been able to configure and use the plugin in a FreeStyle Jenkins project and now trying to use the same in my pipeline. I added depdendencyCheck to an existing stage in my pipeline and I get this error: groovy.lang.MissingPropertyException: No such property: dependencyCheck for class: groovy.lang.Binding – John Camerin Jun 18 '20 at 15:50
  • 2
    Alright, so I believe I have solved my own issue. I will post here for the benefit of others who may run into issues. 1) My pipeline is a groovy script, so I needed to add () for Jenkins to find the plugin 2) The plugin throws an NPE if you omit additionalArguments parameter 3) The odcInstallation is required and the value should be the name of the Dependency-check installation configured in the Jenkins Global Tools Configuration. – John Camerin Jun 18 '20 at 16:10
  • For whatever reason, `dependencyCheck` is behaving like it is scanning some completely different directory. For example, it is complaining that I don't have `package-lock.json` file when I know I do. I've tried using `${WORKSPACE}` as well as just `./` and nothing seems to work. Any ideas? – robross0606 May 11 '21 at 19:47