To scan the dependencies of my project for known security vulnerabilities, I'm running the org.owasp:dependency-check-maven Maven plugin as part of a Jenkins pipeline build.
The plugin happily creates the report as XML in ${project.build.directory}/security-reports, and now I'd like to have it show up in the Test Results section of my pipeline build. Ideally, it would look like in these screenshots, but plain old xUnit output would probably be fine as well.
Unfortunately, I can't get it to work. I installed the OWASP Dependency-Check Jenkins plugin, which sounds just right according to its documentation. But it seems I cannot figure out how to configure it properly.
I also tried archiving the XML file like regular Junit results from my Jenkinsfile, using junit '**/target/security-reports/*.xml'. But the Junit step doesn't seem to recognise it and complains about not finding any reports.
Can anyone help?
To make Jenkins collect and display results of OWASP Dependency-check you need to have OWASP Dependency-Check plugin installed and to add Post-build Action step "Publish OWASP Dependency-Check analysis results".
You should provide the path to your XML file in settings for this step, by default **/dependency-check-report.xml is used.
Related
I'm working on automating SVN Tag generation through JAVA and need some suggestions to start of with. This is how we do it manually - Check out a maven project/plugin from SVN repo and run a set of maven commands (mvn clean test, mvn release:prepare) to generate SVN tags, mvn release:prepare is the final command that would run unit tests, generate the tag and commit it to SVN and I'm working on automating this process.
I had a look at svnkit api which I can make use of to check out a project to the local file system and find a way to run the set of maven commands to generate tag URL, is there a maven JAVA plugin through which I can trigger maven commands? Or is there a much better way to do this other than JAVA?
I did my research on svn kit but could not find any relevant info to automate the maven process, probably I'm missing out on something.
It seems that you are looking for continuous integration.
I would recommend you to evaluate the use of Jenkins, which can be configured to periodically poll changes from SVN and launch a Maven build. Then, if the build succeeded and you decide to release it, you can perform a Maven release from Jenkins, which would take care of invoking the corresponding Maven goals. You can also configure a post-commit hook in SVN in order to launch a build after each commit.
I'm using eclipse for my IDE. I'm using Maven to build / release my code. Ideally I'd like to only have 1 build engine. To that end I want to make sure that I build/test the code the same way everytime.
However, the Junit View in Eclipse is nice an easy to use. I'd like to keep using it while debugging my tests.
A couple years ago I managed to do this with Intellij IDEA, so I figure something similar should be possible in Eclipse.
How can I build (and hopefully test) with Maven and then view the results of testing in Eclipse?
The maven-surefire-plugin generates reports after executing the tests, that are located by default in target/surefire-reports:
The Surefire Plugin is used during the test phase of the build lifecycle to execute the unit tests of an application. It generates reports in two different file formats:
Plain text files (*.txt)
XML files (*.xml)
By default, these files are generated at ${basedir}/target/surefire-reports.
As such, after the tests are executed, you just need to open those reports in Eclipse by double-clicking them.
If you open the XML reports, Eclipse will, by default, open the JUnit view and you will have the same presentation as you're used to when running the test directly in Eclipse.
I want to add sonarlint plugin to my project. When I build with maven, the plugin should be automatically enabled without my intervention. Is there a way I could do it?
SonarLint is a local plugin that can be embedded in your IDE.
In the plugin setting you can put the "Automatically trigger analysis" in order to have feedback while writing.
In order to perform continuous integration you should use SonarQube, it is possible to integrate it with Jenkins or Codemagic and also with Maven.
It is possible to add SonarQube to your pull requests as well. You can see the doc here
You can find more information about the difference between SonarLint and SonarQube here
I followed the steps on creating a report in eclipse (http://earlwillis.wordpress.com/2012/01/31/getting-started-with-junit-reports/), however the junitreport does not show up Edit configurations section at the end. What do I need to do to fix this?
You need to be using Maven or Ant to be generating the report for you. Maven's Surefire and Surefire report plugins will give you what you need. Alternatively, if you followed the steps in that document as you say, you just need to configure an ant build properly.
I would like to run some validation checks against projects that jenkins builds. The validation checks would run against files from the project being built and report violations. I already have a core java application which can test the file types I require but, being a complete beginner with jenkins I'm unsure where to start with the jenkins integration! Any help is welcome!
You can use ant to call your validation code and fail the build if your validation checks fail. Otherwise you are writing your own Jenkins plugin for this tool you have to run your validation. Anything that fails the ant build also fails the Jenkins build.
I'd try to modify your existing validation application, or make a transformation step that makes it produce files that Jenkins Violations Plugin can scan
https://wiki.jenkins-ci.org/display/JENKINS/Violations
Hopefully you can pretend that your application is e.g. findbugs or one of the already supported checkers by just producing output in the same format.
Violations is frecuently used, as mentioned previously, to collect and present the findings of many other tools: checkstyle, pmd, cpd, findbugs and many others, most of which allow to create custom rules, although not always easily.
Maven plugins Jenkins can launch for specific verifications the output of which you can, of course, grep:
maven dependency plugin. The goals analyze, analyze-dep-mgt, analyze-duplicate are useful to check multiple situations with the project dependencies
maven verifier plugin. Verifies the existence or non-existence of files/directories and optionally checks file content against a regular expression
maven enforcer plugin. To check whether the pom.xml elements satisfy certain rules. How to create your own rules is well documented. And repositories of existing rules exist out there such as: enforcer rules, extra-enforcer rules...