![]() Findings are displayed in an interactive table which can be sorted, searched on, and paginated through. Hovering over a build will display high-level severity information. When a job has the publisher configured, a trending chart will display the total number of findings grouped by severity. The publisher works independently of the tool configuration or builder and is responsible for reading dependency-check-report.xml and generating metrics, trends, findings, and optionally failing the build or putting it into a warning state based on configurable thresholds. Configuration specific to Jenkins is minimal, with important aspects of the job configuration being the 'Arguments' field, which is sent directly to the CLI installation defined. The builder performs an analysis using one of the pre-defined Dependency-Check CLI installations. ![]() The installation of Dependency-Check can be performed automatically, which will download and extract the official Command-Line Interface (CLI) from Github, or an official distribution can be installed manually and the path to the installation referenced in the configuration. One or more Dependency-Check versions can be installed via the Jenkins Global Tool Configuration. The plugin has three main components: a globally defined tool configuration, a builder, and a publisher. This plug-in can independently execute a Dependency-Check analysis and visualize results. This tool can be part of the solution to the OWASP Top 10 2017: A9 - Using Components with Known Vulnerabilities. Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |