Pipeline Documentation

[msymons]

I am having difficulty getting ingestion of BOM and XML as part of a Jenkins pipeline and would like to request a bit of documentation on how they can be implemented.

The Continious Delivery page mentions pipelines but contains no examples.

I found this excellent tip for usage of archiveArtifacts in DependencyCheck. I have used it for both dependency-check plugin and for cyclonedx-maven-plugin. ie, maybe the info should appear in a couple of different bits of documentation!

I found this dependency-check plugin pull request that contains useful information... but also raises questions. For instance...

• can one specify "synchronous publishing mode" in a pipeline?

I have also been trying to get cyclonedx-node-module working in a pipeline using the NodeJS jenkins plugin. I have not yet succeeded!

[stevespringett]

Jenkins has built-in syntax generator and self-describes pipelines. However, for some reason, not all options are coming up. In fact, the only option that is displaying is synchronous.

[msymons]

Thanks. I had forgotten about the syntax-tool within Jenkins because I was working to update someone else's scripted-pipeline global library and was thus just looking at things in GitHub. Not in Jenkins (except when running a build using the pipeline).

Now that I look, I see the following...

Note that there is no displayed option for specifying autocreate (ie, name of auto-created project, mapping to projectName). Does this not tie in with #232 ?

Kind of separately, if I do specify projectName in a pipeline, what is the expectation if the project is renamed in Dependency-Track UI? Would that not create a new project and break the link with the old one?

[rcha0s]

For only a part of that question, I have tested that #232 works with pipeline jobs and that it works only with asynchronous mode. If you try the synchronous mode, you see the error: [DependencyTrack] An error occurred while retrieving findings - HTTP response code: 500 Server Error which in the logs points to [org.eclipse.jetty.server.HttpChannel] /api/v1/finding/project/null javax.servlet.ServletException: java.lang.IllegalArgumentException: Invalid UUID string: null

[pdl3]

I ran into this bug and then was pleasantly surprised when looking through the 2.2.0 Dependency Track Jenkins plugin changes that this looked like it had been fixed. I updated and synchronous mode works now!

[valentijnscholten]

I am also looking for documentation. What I found so far:

• The jenkins plugin does not generated the BOM, you need to take of that in another way, i.e. jenkins plugin
• You can upload from scripted/declarative pipelines
• The publisher can autogenerate a project, but it is unclear how it works. How to specify this parameter in a pipeline? I think I saw the value 'autocreate' as projectName somewhere, And what will be the name of the autogenerated project in that case? But I also see an example with isAutoCreateEnabled=true as parameter, I could try all this out, but at the moment I am just evaluating if we should use dependencytrack and I suppose I'm not the only one looking for this info/docs.

EDIT: There's also a JIRA issue tracker for the jenkins plugin and https://issues.jenkins-ci.org/browse/JENKINS-60643 has some more info about autocreation, basically should just work for pipeline jobs when enabled globally in the dependency track config.

[pdl3]

Generating the BOM is pretty easy, lots of plugins available.

Here's the pipeline documentation for Dependency Track https://jenkins.io/doc/pipeline/steps/dependency-track/

With the auto create option, Dependency Track simply creates a new project/label and processes the uploaded BOM.

One potential gotcha is mitigation history seems to be keyed per project+version. So you can currently globally exempt component vulnerabilities across all projects, but if you want to do it per project, with auto create enabled, as far as I've been able to tell you lose them on a new version. So you might want to use branch names as projectVersion if you use autocreate. More details on that here: https://github.com/DependencyTrack/dependency-track/issues/590

We love DT so far although we're fairly new users.

On Thu, Apr 16, 2020 at 6:59 AM valentijnscholten notifications@github.com wrote:

I am also looking for documentation. What I found so far:

• The jenkins plugin does not generated the BOM, you need to take of that in another way, i.e. jenkins plugin
• You can upload from scripted/declarative pipelines
• The publisher can autogenerate a project, but it is unclear how it works. How to specify this parameter in a pipeline? I think I saw the value 'autocreate' as projectName somewhere, And what will be the name of the autogenerated project in that case? But I also see an example with isAutoCreateEnabled=true as parameter, I could try all this out, but at the moment I am just evaluating if we should use dependencytrack and I suppose I'm not the only one looking for this info/docs.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/DependencyTrack/dependency-track/issues/253#issuecomment-614578505, or unsubscribe https://github.com/notifications/unsubscribe-auth/AESEECT44UVSKXPZ5JOLAMTRM3QINANCNFSM4GJDNCGQ .

-- Philip Lowman

[rajesh2887]

Hi Team

can help on below error.

[DependencyTrack] Polling Dependency-Track for BOM processing status [DependencyTrack] Processing findings [Pipeline] } [Pipeline] // stage [Pipeline] } [Pipeline] // node [Pipeline] End of Pipeline org.jenkinsci.plugins.DependencyTrack.ApiClientException: An error occurred while retrieving findings - HTTP response code: 500 null at org.jenkinsci.plugins.DependencyTrack.ApiClient.getFindings(ApiClient.java:96) Caused: org.jenkinsci.plugins.DependencyTrack.ApiClientException: An error occurred while retrieving findings at org.jenkinsci.plugins.DependencyTrack.ApiClient.getFindings(ApiClient.java:99) at org.jenkinsci.plugins.DependencyTrack.DependencyTrackPublisher.perform(DependencyTrackPublisher.java:226) at org.jenkinsci.plugins.workflow.steps.CoreStep$Execution.run(CoreStep.java:80) at org.jenkinsci.plugins.workflow.steps.CoreStep$Execution.run(CoreStep.java:67) at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution$1$1.call(SynchronousNonBlockingStepExecution.java:49) at hudson.security.ACL.impersonate(ACL.java:290) at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution$1.run(SynchronousNonBlockingStepExecution.java:46) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Finished: FAILURE

[rajesh2887]

Hi Team, can help on this below error. BOM uploaded successfully but failed in retrieving findings.

[DependencyTrack] Publishing artifact to Dependency-Track [DependencyTrack] The artifact was successfully published [DependencyTrack] Polling Dependency-Track for BoM processing status [DependencyTrack] Processing findings [DependencyTrack] An error occurred while retrieving findings - HTTP response code: 500 null [Pipeline] } [Pipeline] // stage [Pipeline] } [Pipeline] // node [Pipeline] End of Pipeline Finished: FAILURE

[perzonaljezus]

I have the same issue Jenkins 2.235.3 Dependency-Track Plugin 2.3.0 Dependency-Track Server v3.8.0

no need to say: was working fine up to some days ago.