search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
5.93k stars 1.21k forks source link

Solution to scan the environment.yml python dependencies using OWASP Dep Check in Jenkins pipeline #6637

Open Aseem-DevOps opened 2 weeks ago

Aseem-DevOps commented 2 weeks ago

Hi,

I'm using a dependency check 8.2.0 version via Jenkins file and following below set-up as one of the stage - but every time I see, report generates with zero vulnerabilities.

after the scm checkout, I expected to consider an environment.yml file which contains the dependencies associated for the python application. But I am sure it's not getting scanned. So I added --enableExperimental to have this from a python analyzer standpoint.

stage('OWASP Scan') { steps { dependencyCheck additionalArguments: ''' -o './' -s './' -f 'ALL' --enableExperimental --prettyPrint''', odcInstallation: 'dependency-checker' dependencyCheckPublisher pattern: 'dependency-check-report.xml' } }

Any help in this regard would be much appreciated..

image

jeremylong commented 2 weeks ago

We do not currently support conda's environment.yml files yet. We accept PRs if you are interested in contributing.