Is your feature request related to a problem? Please describe.

1. Setup Dependency-Track.
   • Frontend version: 4.4.0
   • Backend version: 4.4.2
2. Configure the Dependency-Track Jenkins plugin (v4.1.1).
3. Configure the API key with the following permissions.
   • VIEW_PORTFOLIO
   • BOM_UPLOAD
   • PROJECT_CREATION_UPLOAD
4. Add the pipeline step to upload the BOM file with synchronous mode enabled.

   def projectName = sh script: 'mvn help:evaluate -Dexpression=project.name -q -DforceStdout', returnStdout: true
   def projectVersion = sh script: 'mvn help:evaluate -Dexpression=project.version -q -DforceStdout', returnStdout: true
   
   withCredentials([string(credentialsId: 'dependency-track-api-key', variable: 'API_KEY')]) {
       dependencyTrackPublisher artifact: 'target/bom.xml', projectName: projectName, projectVersion: projectVersion, synchronous: true, dependencyTrackApiKey: API_KEY
   }
   

5. Pipeline step fails with HTTP error 403.

   [DependencyTrack] Publishing artifact to Dependency-Track - https://xxx.xxx.xxx/
   [DependencyTrack] The artifact was successfully published. You may now navigate to https://xxx.xxx.xxx/projects/ to view the results.
   [DependencyTrack] Polling Dependency-Track for BOM processing status
   [DependencyTrack] Looking up id of newly created project with name "xxx" and version "xxx"
   [DependencyTrack] Processing findings
   [Pipeline] }
   [Pipeline] // withCredentials
   [Pipeline] }
   [Pipeline] // withEnv
   [Pipeline] }
   [Pipeline] // script
   [Pipeline] }
   [Pipeline] // stage
   [Pipeline] }
   [Pipeline] // withEnv
   [Pipeline] }
   [Pipeline] // node
   [Pipeline] End of Pipeline
   org.jenkinsci.plugins.DependencyTrack.ApiClientException: An error occurred while retrieving findings - HTTP response code: 403 Forbidden
       at org.jenkinsci.plugins.DependencyTrack.ApiClient.getFindings(ApiClient.java:190)
       at org.jenkinsci.plugins.DependencyTrack.DependencyTrackPublisher.publishAnalysisResult(DependencyTrackPublisher.java:302)
       at org.jenkinsci.plugins.DependencyTrack.DependencyTrackPublisher.perform(DependencyTrackPublisher.java:279)
       at org.jenkinsci.plugins.workflow.steps.CoreStep$Execution.run(CoreStep.java:101)
       at org.jenkinsci.plugins.workflow.steps.CoreStep$Execution.run(CoreStep.java:71)
       at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47)
       at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
       at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
       at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
       at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
       at java.base/java.lang.Thread.run(Thread.java:829)
   Finished: FAILURE
   

6. Added the permission VIEW_VULNERABILITY to the API key.
7. Pipeline step is successful.

   [DependencyTrack] Publishing artifact to Dependency-Track - https://xxx.xxx.xxx/
   [DependencyTrack] The artifact was successfully published. You may now navigate to https://xxx.xxx.xxx/projects/ to view the results.
   [DependencyTrack] Polling Dependency-Track for BOM processing status
   [DependencyTrack] Looking up id of newly created project with name "xxx" and version "xxx"
   [DependencyTrack] Processing findings
   [DependencyTrack] Evaluating new findings against previous build #602
   [Pipeline] }
   [Pipeline] // withCredentials
   [Pipeline] }
   [Pipeline] // withEnv
   [Pipeline] }
   [Pipeline] // script
   [Pipeline] }
   [Pipeline] // stage
   [Pipeline] }
   [Pipeline] // withEnv
   [Pipeline] }
   [Pipeline] // node
   [Pipeline] End of Pipeline
   Finished: SUCCESS
   

Describe the solution you'd like

Update the help text in the Pipeline Syntax to mention the need for the VIEW_VULNERABILITY permission to be given to the API key if the synchronous mode is enabled.

This might help someone else set this up.

Additional context

Hi Ronny,
With the current functionality of Jenkins pipeline, we could create project,version and upload bom to DT , but would like enhancement on more to create new tags attached to project, create Classifier, Add SWID tag id all this with the DTPublisher.

Current functionality....
dependencyTrackPublisher artifact: 'target/bom.xml', projectName: 'my-project', projectVersion: 'my-version', synchronous: true, dependencyTrackApiKey: API_KEY
...

This would help on complete automation with managing multiple instances, without moving to UI dashboard.

Cannot resolve org.jenkins-ci.plugins:credentials:2.6.1.1
Cannot resolve org.jenkins-ci.main:cli:2.289.2
Cannot resolve org.jenkins-ci.main:jenkins-test-harness:1645.vf98fc478f846
Cannot resolve org.jenkins-ci.main:jenkins-war:2.289.2

Describe the bug

When using the plugin to check vulnerabilities in our dependencies, there are to threshold, the total vulnerabilities and the new findings ones. It seems that the new findings does not take care of the project version.
For example:

• DT found 10 vulnerabilities in version 1.0.0
• DT found 1 more vulnerability in version 1.0.1

New findings should be 1, but it is not the case because our thresholds set to 5 failed the build when building version 1.0.1

Environment

• Plugin Version: 4.0.0
• Jenkins Version: 2.303.2 (LTS)
• Java Version for Jenkins: 11.0.12
• Type of Jenkins Job: Scripted pipeline
• Dependency-Track Version: 4.3.6

To Reproduce

Steps to reproduce the behavior:

1. Upload a BOM with vulnerabilities and project version 1.0.0
2. Set threshold less than the number of vulnerabilities for new findings
3. Upload the same BOM and project version 1.0.1

Expected behavior

The new findings should count new vulnerabilities between two versions of the same project

We have a repository with both backend and frontend code. If we publish these as separate DT projects in the same pipeline the last call to the dependencyTrackPublisher step overwrites the previous results. We did try to merge these BOMs but ran into a separate issue with the Jenkins Dependency Track plugin and would rather publish them separately since they have different license policies.

It would be nice if the results displayed in Jenkins could be combined from multiple calls to the dependencyTrackPublisher pipeline step - similar to how the warnings-ng plugin works when recording issues.

Hi folks,
I found no answer in your docs on whether the denpency-track-jenkins-plugin can also be used to show license compliance breaches?
I'd would be great to have some more information about this topic.
Thank you for your great work!

Describe the bug

When setting up the plugin configuration, the plugin is unable to authenticate/authorize, and a HTTP 403 Forbidden is returned, If I try to do the same directly using curl, it works just fine.

Environment

• Plugin Version: 4.3.1
• Jenkins Version: 2.434
• Java Version for Jenkins: JDK 17
• Type of Jenkins Job: scripted pipeline
• Dependency-Track Version: 4.9.1

To Reproduce

Steps to reproduce the behavior:

1. Setup the plugin

2. Click on Test Connection

3. Run pipeline configured to call dependencyTrackPublisher

Expected behavior

That the SBOM (build/reports/bom.xml) for the Gradle project is published

Additional context

Attached is a screnshot of the plugin configuration

Jenkins is running in Kubernetes, and so is dependency track. I can see the project fine in Dependency Track on https://dtrack-[xxxxx].dk after manually using curl (POST) to publish on https://[xxxxx].dk/dependency-track.
I have tried with Kubernetes credentials provider and the built in Jenkins credentials, same result.

Is your feature request related to a problem? Please describe.

We push different types of s-bom's to the d-track server:

• container,
• java-applications,
• frameworks
• web-apps

Jenkins does the creation of the projects within d-track and currently every created project must be manually updated to set the correct classifier, this is tedious.

Describe the solution you'd like

Enable the handover for the classifier value like the other properties(parentId, group, swid, etc.):

node {
    stage('dependencyTrackPublisher') {
        try {
            dependencyTrackPublisher artifact: 'target/bom.xml', projectId: 'a65ea72b-5b77-40c5-8b19-fb83525f40eb', synchronous: true, classifier: "Framework"
        } catch (e) {
            echo 'failed'
        }
    }
}
``

Describe the bug

Since Updating to dependency-Track 4.10.1 setting the parent does not work anymore.

Also:   org.jenkinsci.plugins.workflow.actions.ErrorAction$ErrorId: 279f47c4-a43f-4de9-b43e-1789bb0d1ab7
org.jenkinsci.plugins.DependencyTrack.ApiClientException: An error occurred while updating project with id "2cd3b985-df15-4a23-b84c-373b936f0ef9" - HTTP response code: 500 Server Error
	at org.jenkinsci.plugins.DependencyTrack.ApiClient.updateProject(ApiClient.java:358)
	at org.jenkinsci.plugins.DependencyTrack.ApiClient.updateProjectProperties(ApiClient.java:338)
	at org.jenkinsci.plugins.DependencyTrack.DependencyTrackPublisher.updateProjectProperties(DependencyTrackPublisher.java:477)
	at org.jenkinsci.plugins.DependencyTrack.DependencyTrackPublisher.perform(DependencyTrackPublisher.java:281)
	at org.jenkinsci.plugins.workflow.steps.CoreStep$Execution.run(CoreStep.java:101)
	at org.jenkinsci.plugins.workflow.steps.CoreStep$Execution.run(CoreStep.java:71)
	at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:829)

In the server:

2023-12-20 08:13:52,589 ERROR [GlobalExceptionHandler] Uncaught internal server error
java.lang.NullPointerException: Cannot invoke "org.dependencytrack.model.Project.isActive()" because "parent" is null
        at org.dependencytrack.persistence.ProjectQueryManager.updateProject(ProjectQueryManager.java:547)
        at org.dependencytrack.persistence.QueryManager.updateProject(QueryManager.java:435)
        at org.dependencytrack.resources.v1.ProjectResource.updateProject(ProjectResource.java:314)
        at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)
        at java.base/java.lang.reflect.Method.invoke(Unknown Source)
        at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)

Setting the parent in the GUI works fine. I checked that the parent uuid is correct many times.

                  dependencyTrackPublisher artifact: 'application/target/bom.xml', projectName: xxxxx', projectVersion: env.VERSION, synchronous: true, dependencyTrackApiKey: API_KEY, projectProperties: [parentId: 'df83ec82-3750-41a6-892a-175cd1235754']

Expected behavior

No error, and parent is attributed correctly.

Additional context

Add any other context about the problem here (screenshots, logs, etc.).

Describe the bug

The upload of a bom.json of an angular project to the Dependency-Track server is not possible due to the error:
"[DependencyTrack] Es ist ein Fehler beim verarbeiten des Artefakts "path_to_file\angular_sbom.json" aufgetreten. Der Fehler war: Input length = 1"
In English:
"[DependencyTrack] An error occurred processing artifact "path_to_file\angular_sbom.json". Error was: Input length = 1"

Environment

• Plugin Version: 4.2.0
• Jenkins Version: 2.386
• Java Version for Jenkins: openjdk 11.0.17 2022-10-18 LTS (Red Hat)
• Type of Jenkins Job: declarative pipeline
• Dependency-Track Version: 4.6.2
• cyclonedx/cyclonedx-npm Version: 1.7.2

To Reproduce

Steps to reproduce the behavior (in a declarative pipeline):

1. Create the bom.json by using: cyclonedx-npm <path_to_angular-project>\package.json --output-reproducible --short-PURLs --output-file angular_sbom.json (using the jenkinsfile)
2. dependencyTrackPublisher artifact: "${angularOutputFile}", projectName: "${projectName}", projectVersion: "${projectVersion}", synchronous: "${dtSynchronous}", dependencyTrackApiKey: "<top-secret>"
   As you can imagine, the variables are filled correctly. The reason why I'm quite sure about it is that it's the same why I upload a bom.json for a nuget project and that works fine.

Expected behavior

The bom.json can be uploaded successfully to the Dependency-Track server.

Additional context

1. Manual upload of the same generated bom.json using the GUI of Dependency-Track or curl is working fine.
2. If a firewall blocks the communication between jenkins and Dependency-Track server the error occures, too. So it is not a problem of the Dependency-Track server itself.
3. Additional informations can be read at the issue 2202 in the dependency-track project.

Describe the bug

A clear and concise description of what the bug is.

Environment

• Plugin Version: 5.1.2
• Jenkins Version: 2.289
• Java Version for Jenkins: jdk11
• Type of Jenkins Job: apple swift
• Dependency-Track Version: none

To Reproduce

Steps to reproduce the behavior:

1. Go to '...' project job after successful scan and publish
2. Click on '....'
3. Scroll down to '....'
4. See the dep dependency-check trend graph with zero vulnerability, and dependency-check-report.xml can be found in the archive with hundreds lines of data. However, not seeing a link to the result GUI report page on anywhere of the jenkins job.
   

Expected behavior

A clear and concise description of what you expected to happen.

Additional context

Add any other context about the problem here (screenshots, logs, etc.).

Describe the bug

After upgrading Jenkins Controller from 2.332.1 to 2.426.3 sbom upload fails with this error.

[2024-02-07T12:30:20.997Z] [DependencyTrack] An error occurred processing artifact "bom.xml". Error was: Input length = 1

The bom in question is a properly encoded utf8 document containing an "umlaut" "ö" encoded as C3B6
Findings:

• file.encoding on the agent as reported by Jenkins controller: ANSI_X3.4-1968
• commit e5b9bf8 on master branch already contains a fix (not sure if the actual upload would succeed, though)

Environment

• Plugin Version: 4.3.0 / 4.3.1
• Jenkins Version: container jenkins/jenkins:2.426.3-lts-jdk11
• Java Version for Jenkins:
• Type of Jenkins Job: declarative pipeline
• Dependency-Track Version: 4.8.2

To Reproduce

Steps to reproduce the behavior:

• set file.encoding on the agent to ANSI_X3.4-1968 (e.g. by starting agent with -Dfile.encoding= ...)
  we extracted code from ApiClient.java and put it into our groovy helper library to reproduce

executor.echo("default charset:"+java.nio.charset.Charset.defaultCharset());
       final FilePath a = new FilePath(Jenkins.getInstance().getComputer(executor.NODE_NAME).getChannel(),artifact);
       // the code used by our plugin version:  fails without -Dfile.encoding=UTF-8
       //org.apache.commons.codec.binary.Base64.encodeBase64String(a.readToString().getBytes(StandardCharsets.UTF_8));
       // the code used on the master branch:  does not fail without -Dfile.encoding=UTF-8
       java.util.Base64.getEncoder().encodeToString(a.read().readAllBytes());

stack trace produced by above code (unfortunately, the plugin itself does not emit the stack trace)

Also:   hudson.remoting.Channel$CallSiteStackTrace: Remote call to f36usd16
		at hudson.remoting.Channel.attachCallSiteStackTrace(Channel.java:1787)
		at hudson.remoting.UserRequest$ExceptionResponse.retrieve(UserRequest.java:356)
		at hudson.remoting.Channel.call(Channel.java:1003)
		at hudson.FilePath.act(FilePath.java:1230)
		at hudson.FilePath.act(FilePath.java:1219)
		at hudson.FilePath.readToString(FilePath.java:2493)
		at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
		at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
		at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
		at java.base/java.lang.reflect.Method.invoke(Method.java:566)
		at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:98)
		at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325)
		at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1225)
		at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1034)
		at org.codehaus.groovy.runtime.callsite.PojoMetaClassSite.call(PojoMetaClassSite.java:46)
		at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:47)
		at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:116)
		at com.cloudbees.groovy.cps.sandbox.DefaultInvoker.methodCall(DefaultInvoker.java:20)
		at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:90)
		at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:113)
		at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixName(FunctionCallBlock.java:78)
		at jdk.internal.reflect.GeneratedMethodAccessor156.invoke(Unknown Source)
		at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
		at java.base/java.lang.reflect.Method.invoke(Method.java:566)
		at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
		at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21)
		at com.cloudbees.groovy.cps.Next.step(Next.java:83)
		at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:177)
		at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:166)
		at org.codehaus.groovy.runtime.GroovyCategorySupport$ThreadCategoryInfo.use(GroovyCategorySupport.java:136)
		at org.codehaus.groovy.runtime.GroovyCategorySupport.use(GroovyCategorySupport.java:275)
		at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:166)
		at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:18)
		at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:51)
		at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:187)
		at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:420)
		at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$400(CpsThreadGroup.java:95)
		at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:330)
		at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:294)
		at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:67)
		at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
		at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:139)
		at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
		at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:68)
		at jenkins.util.ErrorLoggingExecutorService.lambda$wrap$0(ErrorLoggingExecutorService.java:51)
		at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
		at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
		at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
		at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
		at java.base/java.lang.Thread.run(Thread.java:829)
Also:   org.jenkinsci.plugins.workflow.actions.ErrorAction$ErrorId: 0ac1403c-503e-450e-b5a7-4fc4f0664734
java.nio.charset.MalformedInputException: Input length = 1
	at java.base/java.lang.StringCoding.throwMalformed(StringCoding.java:707)
	at java.base/java.lang.StringCoding.throwMalformed(StringCoding.java:713)
	at java.base/java.lang.StringCoding.newStringNoRepl1(StringCoding.java:1040)
	at java.base/java.lang.StringCoding.newStringNoRepl(StringCoding.java:1015)
	at java.base/java.lang.System$2.newStringNoRepl(System.java:2214)
	at java.base/java.nio.file.Files.readString(Files.java:3287)
	at hudson.FilePath$ReadToString.invoke(FilePath.java:2501)
	at hudson.FilePath$ReadToString.invoke(FilePath.java:2496)
	at hudson.FilePath$FileCallableWrapper.call(FilePath.java:3616)
	at hudson.remoting.UserRequest.perform(UserRequest.java:211)
	at hudson.remoting.UserRequest.perform(UserRequest.java:54)
	at hudson.remoting.Request$2.run(Request.java:377)
	at hudson.remoting.InterceptingExecutorService.lambda$wrap$0(InterceptingExecutorService.java:78)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at hudson.remoting.Engine$1.lambda$newThread$0(Engine.java:125)
	at java.base/java.lang.Thread.run(Thread.java:829)

our actual upload call:

dependencyTrackPublisher(
                    artifact: artifact,
                    autoCreateProjects: true,
                    dependencyTrackApiKey: executor.API_KEY,
                    projectName: this.projectArtifactId,
                    projectVersion: uploadVersion,
                    synchronous: false)

Expected behavior

sbom should upload correctly

Additional context

current workaround is to start the agent with -Dfile.encoding=UTF-8

I'm running Dependency Track v4.0.1 using Docker where you have a separate URL for the API and another one for the Front End. To get this Jenkins plugin to work with the API you need to specify that URL, this works fine and details are shown in Jenkins on the job.

However the link that suggests to go to Dependency Track for more information, the Project link does not work because it goes to the API URL and not the Frontend URL.

My URL's are as follows:

API: dependency-check-api.domain.com
Frontend: dependency-check.domain.com

I think we just need an option to add in a second FrontEnd URL so the links in the builds will work.

Environment Information

• Plugin Version: 3.0.2
• Jenkins Version: 2.263.2
• Java Version for Jenkins: openjdk 11.0.9.1 2020-11-04
• Type of Jenkins Job: declarative pipeline
• Dependency-Track Version: 4.0.1

To Reproduce

Steps to reproduce the behavior:

1. Go to a build which has used Dependency Track
2. Click on 'Dependency-Track Project'
3. Link will fail because it has gone to the API URL, the only one it knows about

Expected behavior

Opens up the Dependency Track UI at the correct project.

NOTE: This can be done manually by editing the URL to change it from the API to FrontEnd link but will be solved by having a second FrontEnd URL to be entered in the settings for the plugin

Describe the bug

Release 3.0.0 of the plugin introduces new functionality to provide a link "Dependency-Track Project" from a Jenkins build to the matching project in the DT Server.

Clicking on the link display a blank screen. This is because the URL is missing ?uuid=. eg:

https://dependency-track.foo.bar.com/projects/94bef94b-c33c-4064-9531-3810a43f1a16

should be:

https://dependency-track.foo.bar.com/projects/?uuid=94bef94b-c33c-4064-9531-3810a43f1a16

Note that the plugin is getting the value of the uuid correct (ie, 94bef94b-c33c-4064-9531-3810a43f1a16)

Environment

• Plugin Version: 3.0.0
• Jenkins Version: 2.263.1
• Java Version for Jenkins: OpenJDK 1.8.0_262-b10
• Type of Jenkins Job: classic and scripted pipeline
• Dependency-Track Version: 3.7.1

To Reproduce

Steps to reproduce the behavior:

1. Run a job in Jenkins that makes use of Dependency-Track plugin
2. After build is complete, click on 'Dependency-Track Project'
3. See problem... the project is not displayed.

Expected behavior

Clicing on the link to 'Dependency-Track Project' should result in display of project on DT server.

Additional context

I have not tested the functionality against DT v4.0.0 Beta, but I notice that the format of the URL does not include the ?uuid=. In other words, it looks like the link from Jenkins would work with this version of DT.

Perhaps the plugin could cater for both variants of the URL by using the x-powered-by header returned by DT server?

Dependency-Track Plugin connection to Dependency-Track server is managed via "Configure System" and is provided with a Test Connection button.

The test connection functionality should be enhanced to account for server-side permissions

eg whether or not PROJECT_CREATION_UPLOAD permission exists when "Auto Create Projects" is checked in Jenkins.

imported from JENKINS-55661

Describe the bug

If one has projects that with no modifications the API server will respond with a http status 304 when calling patchProject in the ProjectResource. The ApiClient updateProject in this plugin fails when the respons is not 200 and blocks builds when it happens.

Environment

• Plugin Version: 4.76
• Jenkins Version: 2.426.2
• Java Version for Jenkins: 17.0.9
• Type of Jenkins Job: declarative pipeline
• Dependency-Track Version: 4.10.0

Expected behavior

Should accept getting 304 as well as 200.

Additional context

10:59:59.558 Also: org.jenkinsci.plugins.workflow.actions.ErrorAction$ErrorId: 0534db0c-5720-4d62-98db-2437527c2419
10:59:59.558 org.jenkinsci.plugins.DependencyTrack.ApiClientException: An error occurred while updating project with id "1d6e9e71-8f91-4892-8116-6723cd53cdee" - HTTP response code: 304 Not Modified

I could surely create a fix and a pull request to fix this, but I already have this #122 and nothing has happened - no feedback, so I'm not sure that help is welcomed.

Work around:
Add tags to the projectProperties, as there is a bug in the API server that checks for modifications in collections of a project.

Hello, i tried to set the threshold parameters (failed and unstable). When the unstable threshold is exceeded the stage where i check the dependencies is not marked as unstable.

In the following screenshots you can see the pipeline #23 with the actual behaviour and the pipeline #24 with the desired behaviour (i forced it with unstable('threshoulds failed!') )

Classic UI

Blue ocean UI

Describe the bug

After update dependency track from 4.2.2 to 4.3.1 we receive this error in the pipelines without dependencies.

[DependencyTrack] Polling Dependency-Track for BOM processing status
[DependencyTrack] Polling Dependency-Track for results is taking longer than expected - polling limit exceeded

Environment

• Plugin Version: 3.1.1
• Jenkins Version: 2.250
• Java Version for Jenkins:
• Type of Jenkins Job: scripted pipeline
• Dependency-Track Version: 4.3.1

To Reproduce

Steps to reproduce the behavior:

Only in the git repositories without dependencies.
In the BOM.xml upload after update de file and create the project, if is the case, we receive this message:

[DependencyTrack] Polling Dependency-Track for results is taking longer than expected - polling limit exceeded

The BOM.xml file is like this: (I delete some info)

<?xml version="1.0" encoding="utf-8"?> <bom xmlns="http://cyclonedx.org/schema/bom/1.2" serialNumber="urn:uuid:xxxxxxxxxxxxx" version="1"> <metadata> <timestamp>2021-08-06T09:10:58.715Z</timestamp> <tools> <tool> <vendor>CycloneDX</vendor> <name>Node.js module</name> <version>2.0.2</version> </tool> </tools> <component type="library" bom-ref="pkg:npm/[email protected]"> <name>api</name> <version>1.174.0</version> <description> <![CDATA[Repository containing the specification for the API.]]> </description> <licenses> <license> <id>ISC</id> </license> </licenses> <purl>pkg:npm/[email protected]</purl> <externalReferences> <reference type="website"> <url>https://api#readme</url> </reference> <reference type="vcs"> <url>git+ssh://git@api</url> </reference> </externalReferences> </component> </metadata> <components/> </bom>

I update the Polling Timeout with the same error

Expected behavior

In the previous version 4.2.2 with the same BOM.xml file the process works fine.

[DependencyTrack] Polling Dependency-Track for BOM processing status
[DependencyTrack] Looking up id of newly created project with name "api" and version "latest"
[DependencyTrack] Processing findings

Is your feature request related to a problem? Please describe.

A DT server with several hundred projects will often have a real variance in BOM quality. This might be caused by a number of things:

• Different ecosystems means different tools generating the BOM... Gradle, Maven, etc.
• Out-of-date version of tools generating the BOM. eg, two Maven projects both reporting BOM version is 1.4 in DT but one is generated using an older version of the cyclonedx-maven-plugin and thus may be lower quality
• Up-to-date plugin generates BOM... but is incorrectly configured for (say) schemaVersion. Thus, one might get two projects with same out-of-date schemaVersion but one generated with latest plugin has higher quality

Describe the solution you'd like

Incorporate the sbomqs tool into the DT Jenkins plugin. This will allow for several pieces of functionality:

• Calculation of BOM Quality Score
• Option to fail a build (or mark it unstable) based on BOM quality (score)
• Creation of quality score labels in Dependency-Track
• Reporting of scoring output as a report in Jenkins so that one can see WHY a score is low (especially if it is causing the build to fail)

Additional context

Here is a screenshot showing labels in DT that have been created by sbomqs

The tool will take care of removing old tags... important if (say) an upgrade of the tool that generates the BOM improves the score.

Is your feature request related to a problem? Please describe.

In our setup, Jenkins is running on premise - so that the build agents need to go through an authenticating proxy in order to access the DependencyTrack instance hostet in the cloud.
While the jenkins agents/build workers can access the DependencyTrack API using the default system proxy, the dependency-track-plugin apparently does not support using a proxy for the SBOM upload. It tries to do a direct connection - and in our case fails because it can not perform a DNS resolution (as any allowed traffic out of the Jenkins network is via a http/s proxy.

Describe the solution you'd like

Make the plugin either check for (and use) the default system proxy - or use the jenkins proxy configuration.

Additional context

See https://github.com/jenkinsci/dependency-track-plugin/blob/e7e4409570ee0d2eb31ba7ade5ecedb5b817f436/src/main/java/org/jenkinsci/plugins/DependencyTrack/ApiClient.java#L95C58-L95C68 (no proxy config)
vs. proxy usage in a different plugin
https://github.com/jenkinsci/oic-auth-plugin/blob/742fe576f1d406cf996fe5469a88e1940d963838/src/main/java/org/jenkinsci/plugins/oic/JenkinsAwareConnectionFactory.java#L27

• provide changelog
• update docs
• release it

Is your feature request related to a problem? Please describe.

With the introduction of suppport for vulnerability aliasing is Dependency Track, the plugin is now reporting a different metrics total than DT itself.

This has led to user confusion.

Describe the solution you'd like

The metrics in the plugin should match the metrics in DT. Ideally, the report in Jenkins should handle aliases so that things match up.

Additional context

I have not tested whether the plugin "risk gateway" is impacted by aliases. ie, if one could set threshold at (say) 2 x high severity vulns and fail the build when there is only one (but it has one or more an aliases). I will test... and then update this issue.

The CI build fails in the sonar-maven-plugin for the pull requests - which, as I see it, isn't caused by the branches in the pull requests.

Error: Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.9.1.2184:sonar (default-cli) on project dependency-track: Unable to load component class org.sonar.scanner.report.MetadataPublisher: Unable to load component class org.sonar.scanner.rule.QualityProfiles: Failed to load the quality profiles of project 'org.jenkins-ci.plugins:dependency-track': closed -> [Help 1]

Describe the bug

I have run the mvn org.cyclonedx:cyclonedx-maven-plugin:2.5.1:makeBom on a maven project to generate the sbom and published it to the dependencytrack api.

I can see different results in the "result" of the dependencytrack plugin in and the frontend. I have attached the results.

Maybe it is a misconfiguration on my side.

Environment

• Plugin Version: 3.1.1
• Jenkins Version: 2.306
• Java Version for Jenkins: 11
• Type of Jenkins Job: classic | declarative pipeline | scripted pipeline: scripted pipeline
• Dependency-Track Version: 4.3.2

To Reproduce

Steps to reproduce the behavior:

1. Go to:
   mvn org.cyclonedx:cyclonedx-maven-plugin:2.5.1:makeBom on a maven project (default settings)
   dependencyTrackPublisher artifact: 'target/bom.json'

2. Click on '....'

3. Scroll down to '....'

4. See error

Expected behavior

The dependencytrack report should show the same result as the dependencytrack frontend

Additional context

I have added two hardcopies of the two different results. As you can see I have run the job more than once. I also have create a new project in dependencytrack frontend to avoid some caching problems.

Thank you for your help.

Is your feature request related to a problem? Please describe.

When a new project is created (e.g. a new version is created) the parent cannot be specified,

Describe the solution you'd like

I would like to either specify the parent of the new project or the system creates it automagically by finding an existing "version" and then making a copy / new version.

Currently I pan to update the "snapshot version" periodically. When I create release I want the plugin to create a new project with a new version under the same parent.

Is your feature request related to a problem? Please describe.

A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like

Once the result of the findings by Dependency Track are received, Jenkins should produce a report for external forwarding to stakeholders

Additional context

See PR-146

Is your feature request related to a problem? Please describe.

I have a scenario, where I need to fail my Jenkins build on a particular critical finding, let's say I have 5 Critical Finding and I need to break my Jenkins build on just 1 critical issue.
The reason is that, in dependencyTrackPublisher stage, we have the option to define values like failedNewCritical etc, but that works on number of critical, medium, total issue etc,
I am in a need to break build, if one of the critical issue let's say old version of log4j still getting used and it is one of the critical issue.

Describe the solution you'd like

If we can also pass some other config which matches the below vulnerability data and we can break the build.

Note: The reason is that, if we set the build failure on numeric value of newCritical, medumCritical etc, than those builds will start failing and we don't want that for now, instead, we need something where, we can just stop jenkins build, if a matching issue is found, and this matching can be passed as config in Jenkins dependencyTrackPublisher stage, similar to/along with numeric values passed as shown below

May be, I can specify if failedTotalCritical: 1 and listOfFindingFailedTotalCritical = [{name="log4j", version=["1.2.14","1.2.17"]},{name="snakeyaml", version=["1.17"]} if this is matched, than Jenkins build should stop execution, it should pass otherwise (even though I have other critical issues)

Additional context

I may be wrong, if this solution already exists, please suggest.
I check the code though, I couldn't find any trace of my requirement.

Vue 2 has reached End of Life on December 31st, 2023 and must be replaced by Vue.js 3. @vue/compat may be required for bootstrap-vue 2, as neither bootstrap-vue 3 nor BootstrapVueNext are ready yet.

Describe the bug

"Dependency-Track Trend", "Dependency Analysis Summary" and "Dependency-Track Report" fields are empty when the CSRF Protection is turned off in Jenkins security settings.
getFindingsJson and getSeverityDistributionTrend returns HTTP 500 when called, the only logged message is a SecurityException (failed to pass the crumb test).

Environment

• Plugin Version: 4.0.0 (the problem was not present in 3.1.1)
• Jenkins Version: 2.289.2
• Java Version for Jenkins: openjdk 11.0.13
• Dependency-Track Version: 4.3.4

To Reproduce

Steps to reproduce the behavior:

1. Turn off "CSRF Protection" (Jenkins/Configure Global Security) - set a System property with name "hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION" and value "true".
2. Navigate to a job/build where the Dependency Track plugin was executed, click on "Dependency-Track Report".
3. The report is empty.
4. In the Jenkins log you can see an error message regarding the crumb test, detaild in "Additional context".

Expected behavior

Dependency-Track analysis results should be shown even when the CSRF protection is turned off.

Additional context

The plugin works as expected as soon as I enable the CSRF protection.

Screenshots showing the empty fields:

The only log generated for the issue:

Jan 11, 2022 3:43:48 PM WARNING hudson.init.impl.InstallUncaughtExceptionHandler handleException
Caught unhandled exception with ID <exception_guid>
java.lang.SecurityException: Request failed to pass the crumb test (try clearing your cookies)
at org.kohsuke.stapler.CrumbIssuer.validateCrumb(CrumbIssuer.java:46)
at hudson.security.csrf.CrumbIssuer$1.validateCrumb(CrumbIssuer.java:182)
at org.kohsuke.stapler.MetaClass$JavaScriptProxyMethodDispatcher.doDispatch(MetaClass.java:620)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:766)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:898)
at org.kohsuke.stapler.MetaClass$9.dispatch(MetaClass.java:457)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:766)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:898)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:834)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:898)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:694)
at org.kohsuke.stapler.Stapler.service(Stapler.java:201)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799)
at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1626)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
at org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:248)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
at hudson.plugins.audit_trail.AuditTrailFilter.doFilter(AuditTrailFilter.java:112)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
at jenkins.security.ResourceDomainFilter.doFilter(ResourceDomainFilter.java:76)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:129)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
at io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
at io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:60)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:211)
at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:88)
at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:121)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
at hudson.plugins.locale.LocaleFilter.doFilter(LocaleFilter.java:42)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
at hudson.plugins.greenballs.GreenBallFilter.doFilter(GreenBallFilter.java:64)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:117)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:92)
at jenkins.security.AcegiSecurityExceptionFilter.doFilter(AcegiSecurityExceptionFilter.java:52)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:105)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:101)
at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:92)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:218)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:110)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:62)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:109)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:168)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:51)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:36)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:578)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1435)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1350)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.Server.handle(Server.java:516)
at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:383)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:882)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1036)
at java.base/java.lang.Thread.run(Thread.java:829)

How to use Jenkins project name/version variable on maven job on Gui configuration to use in auto create project on dependency tracker?

[DependencyTrack] The artifact was successfully published. You may now navigate to https://dtrack.example.com/projects/ to view the results.
[DependencyTrack] Polling Dependency-Track for BOM processing status
[DependencyTrack] Looking up id of newly created project with name "${pom.artifactId}" and version "${pom.version}"
[DependencyTrack] Processing findings

This creates a project with name as "${pom.artifactId}" and version as "${pom.version}" on Depencendy track GUI.

How to variable substitute on Jenkins Maven job GUI configuration.

Can you pl update this in documentation too?

Thanks,

Dependency-Track Server allows projects to be provided with tags. This is a very useful way of slicing and dicing projects by team, customer, environment, etc. eg

/projects/?tag=java

It would be useful if the Jenkins Dependency-Track plugin supported the specification of tags.

The ability to add an existing tag or to create and add a new tag might be best controlled by permissions, something requested in Dependency-Track Issue #586.

For instance, I would prefer to see a build fail with a permissions issue (and a good error message) when attempting to use a tag that does not already exist in DT.

The implementation should also support lowercasing of tags (see also Dependency-Track Issue #238 so that when JAVA is specified in the plugin, what is actually used in DT is java.

imported from JENKINS-61741

Allow overrides to all global polling and timeout settings similar to current overrides for dependency track url.

Describe the bug

The "Dependency Track Report" that is displayed within Jenkins seems to render fine using Chrome Browser & Microsoft Edge (tested both with v87) but does not render correctly when using Firefox (tested with v83.0)

Environment

• Plugin Version: 3.0.0
• Jenkins Version: 2.263.1
• Java Version for Jenkins: OpenJDK 1.8.0_262-b10
• Type of Jenkins Job: classic and scripted pipeline
• Dependency-Track Version: 3.7.1
• Browser: Firefox 83.0

To Reproduce

Steps to reproduce the behavior:

1. Run a job in Jenkins that makes use of Dependency-Track plugin
2. After build is complete, click on 'Dependency-Track Report' whilst using Firefox browser
3. Report renders per screenshot above
4. View the report using either Chrome or Edge browser... rendering seems fine.

Expected behavior

Report should render correctly on Firefox as well as on Chrome or Edge (did not test with other browsers).

Is your feature request related to a problem? Please describe.

For projects having multiple sub-projects inside, fe/be codes, different modules etc, it's not logical to do a single dependency check since not every project is dependent to each other. However, in Jenkins, if you run dependency check multiple times, all of them are stored under same name so you can see that there're multiple dependency checks but both redirect to same page

Describe the solution you'd like

Allow defining a name for the run so multiple dependency check results can be accessed properly.

Additional context

Describe the bug

A clear and concise description of what the bug is.

Environment

• Plugin Version: 3.1.1
• Jenkins Version: 2.289
• Java Version for Jenkins: jdk11
• Type of Jenkins Job: scan apple swift code
• Dependency-Track Version: 4.4.1

To Reproduce

Steps to reproduce the behavior:

1. Go to '...' jenkins --> system configuration --> depedency-track
2. Scroll down to '....' depedency-track section,
3. add url (http://x.x.x.x:8080) and access token via jenkins secret text
4. click on test connect
5. See error:
   405 Not Allowed
   nginx/1.20.2

Expected behavior

test pass

Additional context

Had added all permission to the automation team and used the automation team API Key

Describe the bug

When uploading result to Depency track (using projectName and projectVersion each time with different version and with synchronous result) the ProjektId is overridden.

After the upload the Project id is now pinned to that Project so new version are ignored.

Environment

• Plugin Version: 4.1.1

To Reproduce

Steps to reproduce the behavior:

1. Configure Plugin with projectName and projectVersion (ignore ProjectId)
2. Upload first version (now the Project id should be configured)
3. Upload second version
4. Result is published to the first Project

Expected behavior

Plugging configured with projectName and projectVersion should keep this setting and not use the projectId in further request.

Additional context

i think this is the broken part:

projectId = apiClient.lookupProject(effectiveProjectName, effectiveProjectVersion).getUuid();

Issue - Feature Request
When publishing a new version to Dependency Track of an existing project, the audit history is not cloned. When you add a new version in the UI you have the option to clone various data. Are there properties available to enable this using the Jenkins plugin? (Could be that I overlooked this in the documentation)

Use case:
Project v1.0.0 has 15 vulnerabilities. Various audit trails and statuses have been added to the project version. New version Project v1.0.1 is published but all the auditing info needs to be re-added.

Used Versions
Dependency-Track v4.3.6
OWASP Dependency-Track Plugin v4.0.0

Current Behavior
Description: I'm requesting the development of a Tier 2 plugin for Dependency Track that integrates with CloudBees.
Current Dependency Track plugin version: Version: 4.3.1
Tier 3: Community
Plugin ID: dependency-track
Minimum Jenkins required: 2.289.2
Last released: 8 months, 28 days ago

Proposed Behavior
Tier 2 or Tier 1

Could you add an option in global, per-job and pipeline configurations to prevent the build from failing if an error occurs for whatever reason, for example during the communication with the Dependency-Track instance?
Failing a long build almost completed is very frustrating.

If you want to elaborate on it, you could add the option to select how to mark the build: success, unstable or failure (default, now).

Describe the bug

When the Dependency-Track-API is deployed behind a proxy with an added contextpath, the current master version of the depdency-track-plugin is unable to access it. Its already not working when testing the connection on the "configure jenkins"-site.
Examples:
configured Dependency-Track Backend URL: https://xyz.com/dtrack-api
expected generated test url: https://xyz.com/dtrack-api/api/v1/project
current wrong generated url: https://xyz.com/api/v1/project

with that a 404 is returned and the plugin is not usable anymore.

Environment

• Plugin Version: master 5.0.0-SNAPSHOT
• Jenkins Version: 2.387.3
• Java Version for Jenkins: 11
• Type of Jenkins Job: declarative pipeline (but should not matter)
• Dependency-Track Version: 4.8.0

To Reproduce

Steps to reproduce the behavior:

1. Setup dtrack-api with context-path
2. configure plugin with url
3. test connection
4. See error

Expected behavior

dependency-track-plugin honours context-path when building urls

Describe the bug

We are building the SBOM manually in our Jenkins pipeline with cdxgen and then using the plugin to upload to Dependency Track. It is working successfully in another job, for some reason we are getting this error:

Earlier in the pipeline we can see bom.json is generated, is a non-zero file size and sitting in the same directory referenced above:

Can you provide guidance on troubleshooting this error?

Environment

• Plugin Version: 4.3.1
• Type of Jenkins Job: pipeline

Hello, i'm evaluating dependency track and dependency track jenkins plugin to collect and analyze vulnerable components for docker images and node, python, .net core, java applications. At the moment i'm facing with an issue on how to handle project updates when a CI pipeline run.

My idea is to handle a project for each deployment environment with his own version. Something like this:

However with the actual behaviour of the jenkins plugin i can not obtain that kind of projects organization, but i have something like this:

Is there any way to configure the plugin to will work with the following steps?

• find project by name
• if exist get the uuid -> upload the bom -> patch the version of the project
• if not exist upload the bom with project name, project version and create project set to true

Thanks in advance

I have integrated dependency track on Jenkins but I want to show only the vulnerability report (Dependency-Track Report) in Jenkins pipeline, I don't want to show the link to the project in the application (Dependency-Track Project)

I don't want to show, therefore, not even the writing "These results may not be up to date. Please visit the Dependency-Track project page for most recent results"

Is it possible to do it?
I tried changing the permissions in the Teams section, but if I try to remove "View_Vulnerability/View_Portfolio" the Dependency-Track Report is also removed (but I want this).

Describe the bug

When creating a pipeline job, the dependencyTrackPublisher is not recognized as a build step.

Environment

• Plugin Version: 4.2.1-SNAPSHOT
• Jenkins Version: 2.332.2
• Java Version for Jenkins: 8
• Type of Jenkins Job: declarative pipeline
• Dependency-Track Version: 4.x

To Reproduce

Steps to reproduce the behavior:

1. Create a pipeline job
2. click on the Pipeline Syntax link at the bottom
3. Click on the drop down for Sample Step
4. See that dependencyTrackPublisher does not appear

Expected behavior

It should appear

Additional context

If you try to run an existing job that contains it, you will get an error that the step is not know to the DSL.

Is your feature request related to a problem? Please describe.

I'm having problems with saving the Artifact right in the workspace, which crashes some of the following gates in the pipeline, I tried saving /tmp/ but the plugin doesn't read

Describe the bug

From jenkins stage:

        stage('Dtrack') {
            steps {
                dependencyTrackPublisher artifact: "${APP_DIR}/${BOM_FILE}", 
                failedTotalCritical: 1, 
                failedTotalHigh: 1, 
                projectName: OCP_APP_NAME,
                projectVersion: "${params.APP_BRANCH}",
                synchronous: true
            }
        }

We get an error:
[DependencyTrack] An error occurred processing artifact "/opt/jenkins/workspace/NDR_DTRACK/dtrack-dotnet6/dep-track/bom.xml". Error was: Input length = 1

Environment

• Plugin Version:
  OWASP Dependency-Track Version 4.1.1
• Jenkins Version:
  Jenkins 2.375
• Java Version for Jenkins:

openjdk 11.0.2 2019-01-15 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.2+7-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.2+7-LTS, mixed mode, sharing)

• Type of Jenkins Job: classic | declarative pipeline | scripted pipeline
  declarative pipeline
• Dependency-Track Version:
  Dependency-Track v4.7.0

Expected behavior

Expect to upload bom file without errors.

Is your feature request related to a problem? Please describe.

At the moment it is not possible to specify thresholds for vulnerabilities of "unassigned" category. I'm assuming this is intended behavior, since "unassigned" vulnerabilities are kind of in limbo.

However, I'm not 100% sure if those should be ignored. In practice, there are some yet unclassified but already confirmed vulnerabilities that are getting unnoticed. For instance, very recently we faced https://nvd.nist.gov/vuln/detail/CVE-2023-1370, which is unclassified at the moment. That vulnerability was already acknowledge and fixed by the vendor.

In our case, it flight under the radar until someone realized we were building/releasing with vulnerabilities.

Describe the solution you'd like

As it is done for other vulnerability categories, I would like to be able to specify thresholds for the "unassigned" vulnerabilities.

Let me know what you think about this solution, or if you recommend another way of dealing with this situation.
If you think this should be implemented, I can work on a MR.

In my company there is a strict separation between projects, so we are using the portfolio access control in Dependency-Track quite heavily. We do have administrators that could assign projects to teams, but our teams would like feedback asap. Therefore it would be nice to have the option in this plugin to assign a project to a team automatically.

The solution would be to add a textbox in the UI where users can add the name of their team, which will then be located in the list of teams and a mapping with the project (either new or existing) is created.