Getting Started
Include Dependency Check for Bamboo does not require any specific configuration or any additional build tasks.
Once the app is installed you will be able to use out of the box the following features:
Dependency Check results in your Bamboo build summary (includes ability to create pre-filled Jira issues for follow-up)
Bamboo report with count of unique vulnerabilities in your Bamboo plans
Pre-requisite
Include Dependency Check for Bamboo relies on OWASP Dependency Checks configured by the users within their Bamboo builds.
To use the app, you need existing OWASP Dependency Checks in your Bamboo builds.
To setup Dependency Check in your build plans, check the official Dependency Check documentation where you can find instructions for various build systems like Maven, Gradle, SBT etc.
For example, if using Maven you would add the following to your pom.xml file:
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>USE LATEST VERSION</version>
<configuration>
<failBuildOnCVSS>4</failBuildOnCVSS>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>Once you set this up, you should see “dependency-check-report.html” files in your build results directory. The default report format is HTML and it should not be changed.
The app will pick up the report/s and link them to your build plans.
Requisite to create pre-filled Jira issues
In order to enable the feature to create Jira issues pre-filled with the dependency check context in your build summary, you need to:
add Jira issue keys to your commit messages and
integrate Bamboo with a Jira DC or Cloud application