Created
April 28, 2018 20:22
-
-
Save artem-smotrakov/c68930234da6b6f308d3cb2534472e3b to your computer and use it in GitHub Desktop.
Setting a quality gate with OWASP Dependency Check for CVEs with CVSS score higher than 7. See details in https://blog.gypsyengineer.com/en/security/integrating-owasp-dependency-check.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
buildscript { | |
repositories { | |
mavenCentral() | |
} | |
dependencies { | |
classpath 'org.springframework.boot:spring-boot-gradle-plugin:2.0.1.RELEASE' | |
classpath 'org.owasp:dependency-check-gradle:3.1.2' | |
} | |
} | |
apply plugin: 'java' | |
apply plugin: 'idea' | |
apply plugin: 'org.springframework.boot' | |
apply plugin: 'io.spring.dependency-management' | |
apply plugin: 'org.owasp.dependencycheck' | |
bootJar { | |
baseName = 'spring-boot-fun' | |
version = '0.0.1' | |
} | |
repositories { | |
mavenCentral() | |
} | |
sourceCompatibility = 1.8 | |
targetCompatibility = 1.8 | |
dependencies { | |
// this dependency contains a couple of known vulnerabilities | |
compile group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.7.3' | |
compile 'org.springframework.boot:spring-boot-starter-web' | |
testCompile 'junit:junit' | |
} | |
// OWASP Dependency Check settings | |
dependencyCheck { | |
// let's ignore errors to make builds in Jenkins more stable | |
failOnError = false | |
// OWASP Dependency Check plugin for Jenkins needs an XML report, | |
// but humans may also need an HTML one | |
format = 'ALL' | |
// set up a quality gate for vulnerabilities with high severity level: | |
// let's consider that a vulnerability has a high severity level if its CVSS score is higher than 7 | |
// the build is going to fail if vulnerabilities with high severity level found | |
failBuildOnCVSS = 7 | |
// specify a list of known issues which contain: | |
// false-positives | |
// confirmed vulnerabilities which are not fixed yet, but we have a ticket for that | |
suppressionFile = 'dependency-check-known-issues.xml' | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment