OWASP Dependency-Check Plugin

Skip to end of metadata
Go to start of metadata

Plugin Information

Plugin ID dependency-check-jenkins-plugin Changes In Latest Release
Since Latest Release
Latest Release
Latest Release Date
Required Core
Dependencies
1.1.4.1
Apr 15, 2014
1.480.3
analysis-core (version:1.56)
Source Code
Issue Tracking
Maintainer(s)
GitHub
Open Issues
Steve Springett (id: n/a)
Usage Installations 2013-Aug 30
2013-Sep 48
2013-Oct 72
2013-Nov 83
2013-Dec 93
2014-Jan 118
2014-Feb 129
2014-Mar 168

Description

Dependency-Check is an open source utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. This tool can be part of the solution to the OWASP Top 10 2013: A9 - Using Components with Known Vulnerabilities. The purpose of Dependency-Check is to help notify developers and security professionals of the problem discussed by Jeff Williams and Arshan Dabirsiaghi in their talk at AppSec DC 2012 titled “The Unfortunate Reality of Insecure Libraries“.

The Dependency-Check Jenkins Plugin features the ability to perform a dependency analysis build and later view results post build. The plugin is built using analysis-core and features many of the same features that Jenkins static analysis plugins offer, including thresholds, charts and the ability to view vulnerability information should a dependency have one identified.

Usage

Dependency-Check is the core engine that includes the evidence-based identification, analysis, and reporting of library information and associated vulnerabilities. Dependency-Check includes a command line interface (CLI), an Ant task, and Maven plugin. All three generate the same HTML and XML reports. The Dependency-Check Jenkins Plugin relies on the XML report generated from the CLI, Ant task or Maven plugin. It's recommended to include a Dependency-Check scan as part of a build process, similar to how a Findbugs or PMD analysis is typically performed.

The Dependency-Check Jenkins Plugin also includes everything necessary to execute an analysis outside of a build script by incorporating the Dependency-Check core engine and associated Jenkins build-step.

Use in Software Engineering

Dependency-Check builds can be run in a continuous integration or nightly basis to determine if there are new vulnerabilities discovered based on the addition of a new dependency, or the discovery of a new vulnerability in an existing dependency. This is highly desirable information for projects in active development and for those being sustained.

Use for Proactive Monitoring

Dependency-Check builds in Jenkins can be used outside of a software engineering context by automatically scanning and analyzing third-party applications where source code is not available. In this scenario, Jenkins behaves like a glorified cron job with built-in reporting capabilities. An enterprise for example, could scan and analyze all third-party applications (commercial or otherwise) for libraries containing publicly known vulnerabilities and proactively address issues when they arise.

Screenshots

Trending Chart

Categories (by CWE)

Types (by CVE)

Analysis Details

Version History

Version 1.1.4.1 (April 15, 2014)

  • 1.1.4 did not release properly due to bug in Maven Release Plugin. This is a re-release of 1.1.4 using M-R-P v2.5.

Version 1.1.4 (March 30, 2014)

  • Updated core to Dependency-Check v1.1.4
  • Updated analysis-core to v1.56
  • Added URL support for suppression files
  • Fixed bug that prevented workspace from being cleaned up due to H2 lock files in use
  • Fixed defect in details view that prevented certain details from displaying if a CWE was not associated with a vulnerability
  • Default filename for XML reports has changed

Version 1.1.3 (March 11, 2014)

  • Updated core to Dependency-Check v1.1.3

Version 1.1.2 (March 3, 2014)

  • Updated core to Dependency-Check v1.1.2
  • Updated analysis-core to v1.55
  • Added per-build configurable support for additional zip extensions
  • Added global Nexus analyzer proxy bypass setting
  • Added global Mono path configuration

Version 1.1.1.2 (February 9, 2014)

  • Added per job configurable option to skip Dependency-Check analysis if job is triggered by an upstream change

Version 1.1.1.1 (February 8, 2014)

  • Added per job configurable option to skip Dependency-Check analysis if job is triggered by SCM change

Version 1.1.1 (January 30, 2014)

  • Updated core to Dependency-Check v1.1.1

Version 1.1.0 (January 26, 2014)

  • Updated core to Dependency-Check v1.1.0
  • Changed license from GPLv3 to Apache 2.0

Version 1.0.8 (January 18, 2014)

  • Updated core to Dependency-Check v1.0.8
  • Added global configuration options for Nexus analyzer
  • Removed restriction that confined data directory to workspace
  • Support for shared data directory (per node)

Version 1.0.7 (December 3, 2013)

  • Updated core to Dependency-Check v1.0.7
  • Added support for suppression file in build step

Version 1.0.6 (not published)

Version 1.0.5 (November 16, 2013)

  • Updated core to Dependency-Check v1.0.5
  • Updated analysis-core to v1.54
  • Added support for proxy authentication
  • Fixed bug that allowed a build to pass if invalid scan path was specified

Version 1.0.4.1 (October 31, 2013)

  • Added ability to use mirrored NIST CPE/CVE data. Refer to nist-data-mirror for a simple tool to mirror NIST data.
  • Added partial proxy server support. The core currently supports hostname and port parameters.

Version 1.0.4 (October 22, 2013)

  • Updated core to Dependency-Check v1.0.4
  • Added configurable option to enable verbose logging when using the build step

Version 1.0.3 (October 14, 2013)

  • Updated core to Dependency-Check v1.0.3
  • Added configurable option to generate standalone HTML reports in output directory

Version 1.0.2 (September 4, 2013)

  • Updated core to Dependency-Check v1.0.2

Version 1.0.1.1 (August 30, 2013)

  • Removed unnecessary dependency that may cause classpath issues

Version 1.0.1 (August 2, 2013)

  • Initial public release

Sponsors

Development of OWASP Dependency-Check Jenkins Plugin is sponsored by Axway.

Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Add Comment