JENKINS-74934: Display project references in OWASP dependency check table #156
Conversation
…play it in the table.
|
what are compileClasspath and testCompileClasspath? Maven project? Modules name? |
It’s whatever the OWASP dependency check plugin inserts into the XML report. In this case it is a Java Gradle project, so the syntax is module colon classpath (test etc). |
|
I re-run job because increments build was not available. I want see change in our environment |
| @@ -131,6 +131,14 @@ public JSONObject transform(List<Finding> findings) { | |||
| vulnReferences.put("filterable", false); | |||
| columns.add(vulnReferences); | |||
|
|
|||
| final JSONObject projReferences = new JSONObject(); | |||
| projReferences.put("name", "dependency.projectReferences"); | |||
| projReferences.put("title", "Project References"); | |||
There was a problem hiding this comment.
Use "Referenced In Projects/Scopes" as title, scope is the part I did not expect in the name of the project. The title should advise about that (as html report does)
| @@ -143,6 +151,9 @@ public JSONObject transform(List<Finding> findings) { | |||
| row.put("dependency.md5", escape(dependency.getMd5())); | |||
| row.put("dependency.sha1", escape(dependency.getSha1())); | |||
| row.put("dependency.sha256", escape(dependency.getSha256())); | |||
| if (CollectionUtils.isNotEmpty(dependency.getProjectReferences())) { | |||
| row.put("dependency.projectReferences", escape(String.join(", ", dependency.getProjectReferences()))); | |||
There was a problem hiding this comment.
comma separated list is not clear. Please render as a ul list
…eferenced In Projects/Scopes' as in the OWASP HTML report.
|
Resulting screenshot after changes from review.
|
Display project references in OWASP dependency check table.
See JENKINS-74934 for more information.
Parse "dependency/projectReferences/projectReference" from the dependency-check XML, available in dependency-check.1.7.xsd through dependency-check.4.0.xsd (latest).
Then display the value in the Dependency-Check Reports table, and also make it filterable (searchable).
Testing done
Added test-case to verify that XML parsing works fine (see
ReportParserTest.testProjectReferences)Deployed plugin to Jenkins installation and verified that the plugin works as intended.
Note that old jobs that were run with a previous version of the dependency-check plugin will not have the project references value populated in the table. It seems like the parsed Java objects are stored for historical jobs, rather than the original XML. However, new jobs will have value, as shown in the screenshot.
Also verified that the new table field is searchable (worked out of the box).
Submitter checklist
Screenshot