OWASP cross-platform Dependecy Checker
This extension uses the OWASP dependency check cli tool to scan your dependencies for known vulnerabilities and create a report listing all findings. If you use SonarQube in your pipeline it will also configure your SonarQube analysis to reuse the vulnerability report.
Installation and Configuration
If you use YAML pipelines add the following yaml to your pipeline file.
SonarQube integration setup
If you want to use the reports in your SonarQube analysis, make sure you have the OWASP Dependency Check plugin for SonarQube installed in your SonarQube instance.
To use the integration make sure to include the task after the 'Prepare Analysis Configuration' task and before the 'Run Code Analysis' task.
How SonarQube integration works
The integration works by adding the dependency-check specific settings to your SonarQube analysis parameter environment variable. These extra parameters will make sure that that the analyser will find the reports.
Automatic cli tool installation
The owasp dependency check cli tool will be automatically downloaded, extracted and cached on your agents. Hosted agents are supported. A Java runtime is required.
Thanks to Jeremy Long for his great work on the cli tool.