Hello,
We're integrating the bitbucket-dependency-scanner pipe into our pipeline in Bitbucket Cloud. It's a Java EE Maven project.
The pipe does detect a vulnerability in a .js file in ./WebContent/scripts/. However, it does not detect a vulnerability in our pom.xml. When running the OWASP dependency scanner Maven plugin, it does (only) detect the vulnerability in our pom.xml.
In the logs I can see our pom.xml being detected, just like our Maven Wrapper.
We're running the pipe in the following way:
- step: &dependency-scan
name: 'Dependency scan'
services:
- docker
caches:
- docker
script:
- pipe: atlassian/bitbucket-dependency-scanner:0.8.0
variables:
NVD_API_KEY: $NVD_API_KEY
EXTRA_ARGS:
- "--failOnCVSS=7"
- "--ossIndexUsername=$OSS_INDEX_USERNAME"
- "--ossIndexPassword=$OSS_INDEX_PASSWORD"
DEBUG: "true"
artifacts:
- dependency-check-report-*.log
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.