jenkins plugin : publishing several reports at once has strange behavior

[aubertaa]

Describe the bug Different projects are scanned using dependency check and several separate XML reports are generated. Then i try to publish reports at once using this line : dependencyCheckPublisher pattern: '**/dependency-check-report.xml'

I well get the merged counts in a first graph on job page. And one entry per report displaying title 'Dependency-Check Trend' but no graph associated.

One the build page, i got a lot of links (1 per report) pointing all to same url : https://JOB_URL/BUILD_ID/dependency-check-findings

This report contains well headers counting all detected vulnerabilities (bar 'Severity distribution' at the top with colors and counts) but the details are only the details of the first xml file considered when publishing all.

Version of dependency-check used Deps check jenkins plugin 5.1.1

To Reproduce Try to publish several xml vulnerabilities reports at once using wildcard with :

dependencyCheckPublisher pattern: '*/dependency-check-report.xml' or dependencyCheckPublisher pattern: 'dependency-check-.xml'

Expected behavior What i expect is to have only 1 trend graph on job main page, 1 entry in the left menu linking to /dependency-check-findings and all results merged in 1 detailed report on specific build page.

I haven't found verbose mode for deps check publisher so i don't have precise log of the report files processing operations.

Feel free to ask more if needed.

[mecorusfc]

This is interesting. I was about to report a similar bug but my expectations are different. If I have 5 xml files from 5 report runs, it (in my opinion) correctly includes 5 links on the left side of the web page. However, it appears that the last one in wins. I expect the 5 links to point to the 5 different web reports. Here is some information from a forum note that I sent this morning: After reading the code a bit, I can see now that this is a bug. Later today I'll report this as a bug. The issue is that DependencyCheckPublisher.java calls an instance of the ResultAction at line 115 but doesn't give it any way to differentiate for the display URL. However, it is in a loop over multiple dep check XML files designated by a pattern. The the clear intent is to support multiple. However, ResultAction defeats that multiple support at line 61 by sending back a hard-coded ending to the URL of the build (the run). If line 115 of DependencyCheckPublisher handed in another argument (perhaps something off the odcReportFile file variable typed hudson.FilePath) and then the ResultAction could add something from that to the name returned in the getUrlName method. I'll include this in the bug report.

[fakoe]

I have the same problem. I run two dependency checks in two different steps in a Jenkins pipeline script. Each step publishes a report.xml with a different name, but the two "Dependency-Check"-Buttons still point to the same (the first to finish) report. Would be great, if they would fix this.

[mprins]

Would be great, if they would fix this.

https://github.com/jenkinsci/dependency-check-plugin is looking for a new maintainer so "they would fix this" is unlikely to happen any time soon

[selinKamas]

I have faced same issue. I have parent project which has 12 submodule, in jenkins there were 13 same report.

I have fixed

1. Changing pom.xml goal "check" to "aggregate"

2. 

org.owasp dependency-check-maven 6.1.0 aggregate ALL

2. Changing jenkinsFile stage : stage('OWASP analysis') { steps { print_blue '### OWASP REPORT PUSHING START ###' dependencyCheckPublisher pattern: 'target/dependency-check-report.xml' print_blue '### OWASP REPORT PUSHING DONE ###' } }