a) in Jenkins, configure a M3 instance in your "Global Tools" configuration section
b) make sure you have installed the OWASP dependency check plugin
c) create a Pipeline Jenkins project, name "owasptest", and simply paste this pipeline (it's a copy from the sample built-in "github and maven" pipeline):
and leave "Use Groovy Sandbox" checked
Building jar: /home/centos/.jenkins/workspace/owasptest/target/simple-maven-project-with-tests-1.0-SNAPSHOT.jar
[DependencyCheck] Executing Dependency-Check with the following options:
[DependencyCheck] -name = owasptest
[DependencyCheck] -scanPath = /home/centos/.jenkins/workspace/owasptest
[DependencyCheck] -outputDirectory = /home/centos/.jenkins/workspace/owasptest
[DependencyCheck] -dataDirectory = /home/centos/.jenkins/workspace/owasptest/dependency-check-data
[DependencyCheck] -dataMirroringType = none
[DependencyCheck] -isQuickQueryTimestampEnabled = true
[DependencyCheck] -jarAnalyzerEnabled = true
[DependencyCheck] -nodePackageAnalyzerEnabled = true
[DependencyCheck] -nspAnalyzerEnabled = true
[DependencyCheck] -composerLockAnalyzerEnabled = true
[DependencyCheck] -pythonDistributionAnalyzerEnabled = true
[DependencyCheck] -pythonPackageAnalyzerEnabled = true
[DependencyCheck] -rubyBundlerAuditAnalyzerEnabled = false
[DependencyCheck] -rubyGemAnalyzerEnabled = true
[DependencyCheck] -cocoaPodsAnalyzerEnabled = true
[DependencyCheck] -swiftPackageManagerAnalyzerEnabled = true
[DependencyCheck] -archiveAnalyzerEnabled = true
[DependencyCheck] -assemblyAnalyzerEnabled = true
[DependencyCheck] -centralAnalyzerEnabled = true
[DependencyCheck] -nuspecAnalyzerEnabled = true
[DependencyCheck] -nexusAnalyzerEnabled = false
[DependencyCheck] -autoconfAnalyzerEnabled = true
[DependencyCheck] -cmakeAnalyzerEnabled = true
[DependencyCheck] -opensslAnalyzerEnabled = true
[DependencyCheck] -showEvidence = true
[DependencyCheck] -formats = XML
[DependencyCheck] -autoUpdate = true
[DependencyCheck] -updateOnly = false
[DependencyCheck] Data directory created
[DependencyCheck] Scanning: /home/centos/.jenkins/workspace/owasptest
[DependencyCheck] Analyzing Dependencies
[Pipeline] dependencyCheckPublisher
[DependencyCheck] Collecting Dependency-Check analysis files...
[DependencyCheck] Searching for all files in /home/centos/.jenkins/workspace/owasptest that match the pattern **/dependency-check-report.xml
[DependencyCheck] Parsing 1 file in /home/centos/.jenkins/workspace/owasptest
[DependencyCheck] Successfully parsed file /home/centos/.jenkins/workspace/owasptest/dependency-check-report.xml with 0 unique warnings and 0 duplicates.
At this point you can view the report in http://localhost:9090/job/owasptest/lastSuccessfulBuild/artifact/dependency-check-report.xml
To get interesting result you should use https://github.com/WebGoat/WebGoat.git
At the end, a monster DB (330 MB) is built at /home/centos/.jenkins/workspace/owasptest/dependency-check-data/dc.h2.db
To learn mode about this DB, read here https://github.com/jeremylong/DependencyCheck/tree/master/core/src/main/resources/data
and here https://github.com/jeremylong/DependencyCheck/blob/master/core/src/main/resources/dependencycheck.properties
Ref: https://issues.jenkins-ci.org/browse/JENKINS-37437
b) make sure you have installed the OWASP dependency check plugin
c) create a Pipeline Jenkins project, name "owasptest", and simply paste this pipeline (it's a copy from the sample built-in "github and maven" pipeline):
node {
def mvnHome
stage('Preparation') { // for display purposes
// Get some code from a GitHub repository
git 'https://github.com/jglick/simple-maven-project-with-tests.git'
// Get the Maven tool.
// ** NOTE: This 'M3' Maven tool must be configured
// ** in the global configuration.
mvnHome = tool 'M3'
}
stage('Build') {
// Run the maven build
if (isUnix()) {
sh "'${mvnHome}/bin/mvn' -Dmaven.test.failure.ignore clean package"
} else {
bat(/"${mvnHome}\bin\mvn" -Dmaven.test.failure.ignore clean package/)
}
}
stage('Results') {
junit '**/target/surefire-reports/TEST-*.xml'
archive 'target/*.jar'
}
stage("Dependency Check") {
dependencyCheckAnalyzer datadir: 'dependency-check-data', isFailOnErrorDisabled: true, hintsFile: '', includeCsvReports: false, includeHtmlReports: false, includeJsonReports: false, isAutoupdateDisabled: false, outdir: '', scanpath: '', skipOnScmChange: false, skipOnUpstreamChange: false, suppressionFile: '', zipExtensions: ''
dependencyCheckPublisher canComputeNew: false, defaultEncoding: '', healthy: '', pattern: '', unHealthy: ''
archiveArtifacts allowEmptyArchive: true, artifacts: '**/dependency-check-report.xml', onlyIfSuccessful: true
}
}
and leave "Use Groovy Sandbox" checked
Building jar: /home/centos/.jenkins/workspace/owasptest/target/simple-maven-project-with-tests-1.0-SNAPSHOT.jar
[DependencyCheck] Executing Dependency-Check with the following options:
[DependencyCheck] -name = owasptest
[DependencyCheck] -scanPath = /home/centos/.jenkins/workspace/owasptest
[DependencyCheck] -outputDirectory = /home/centos/.jenkins/workspace/owasptest
[DependencyCheck] -dataDirectory = /home/centos/.jenkins/workspace/owasptest/dependency-check-data
[DependencyCheck] -dataMirroringType = none
[DependencyCheck] -isQuickQueryTimestampEnabled = true
[DependencyCheck] -jarAnalyzerEnabled = true
[DependencyCheck] -nodePackageAnalyzerEnabled = true
[DependencyCheck] -nspAnalyzerEnabled = true
[DependencyCheck] -composerLockAnalyzerEnabled = true
[DependencyCheck] -pythonDistributionAnalyzerEnabled = true
[DependencyCheck] -pythonPackageAnalyzerEnabled = true
[DependencyCheck] -rubyBundlerAuditAnalyzerEnabled = false
[DependencyCheck] -rubyGemAnalyzerEnabled = true
[DependencyCheck] -cocoaPodsAnalyzerEnabled = true
[DependencyCheck] -swiftPackageManagerAnalyzerEnabled = true
[DependencyCheck] -archiveAnalyzerEnabled = true
[DependencyCheck] -assemblyAnalyzerEnabled = true
[DependencyCheck] -centralAnalyzerEnabled = true
[DependencyCheck] -nuspecAnalyzerEnabled = true
[DependencyCheck] -nexusAnalyzerEnabled = false
[DependencyCheck] -autoconfAnalyzerEnabled = true
[DependencyCheck] -cmakeAnalyzerEnabled = true
[DependencyCheck] -opensslAnalyzerEnabled = true
[DependencyCheck] -showEvidence = true
[DependencyCheck] -formats = XML
[DependencyCheck] -autoUpdate = true
[DependencyCheck] -updateOnly = false
[DependencyCheck] Data directory created
[DependencyCheck] Scanning: /home/centos/.jenkins/workspace/owasptest
[DependencyCheck] Analyzing Dependencies
[Pipeline] dependencyCheckPublisher
[DependencyCheck] Collecting Dependency-Check analysis files...
[DependencyCheck] Searching for all files in /home/centos/.jenkins/workspace/owasptest that match the pattern **/dependency-check-report.xml
[DependencyCheck] Parsing 1 file in /home/centos/.jenkins/workspace/owasptest
[DependencyCheck] Successfully parsed file /home/centos/.jenkins/workspace/owasptest/dependency-check-report.xml with 0 unique warnings and 0 duplicates.
At this point you can view the report in http://localhost:9090/job/owasptest/lastSuccessfulBuild/artifact/dependency-check-report.xml
To get interesting result you should use https://github.com/WebGoat/WebGoat.git
At the end, a monster DB (330 MB) is built at /home/centos/.jenkins/workspace/owasptest/dependency-check-data/dc.h2.db
To learn mode about this DB, read here https://github.com/jeremylong/DependencyCheck/tree/master/core/src/main/resources/data
and here https://github.com/jeremylong/DependencyCheck/blob/master/core/src/main/resources/dependencycheck.properties
Ref: https://issues.jenkins-ci.org/browse/JENKINS-37437