Replies: 1 comment 2 replies
-
|
Hi there, I am using a "dummy" version string, e.g. "development" or "snapshot" on our PR builds. It works well with the Jenkins plugin, which records just the info on the build page, that was gathered during that run. Obviously, in DT you will get an entry, which gets overwritten regularly, but everything not according to semantic versioning will just be ignored by users. However just have started our DT journey, and not sure if this workaround will have any bad effect later on. |
Beta Was this translation helpful? Give feedback.
-
|
Just adding to the above: you would have to use synchronous publishing, otherwise the analysis won't be added in Jenkins. Also not sure how this would be solved on other CI/CD solutions. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for your answer (somehow missed it until now). We now do something like this
This at least makes sure that we have the same suppressions as the "main" version and people do not get failing builds because of CVEs that are actually audited/suppressed. |
Beta Was this translation helpful? Give feedback.
-
Hi,
Im pretty sure I already read this idea somewhere but I cannot find it anymore. Thats why Im creating this discussion here.
It would be nice if one could upload a BOM just to analyse it for CVEs/policy violations in order to not create new projects/versions every time. My use case is a simple CICD pipeline which does create a BOM for main/release versions and also sends them over to dependency track. However, for branches/pull requests I also want to run an analysis, just to see if a new dependency introduces a problem.
Would this be a nice addition? Or can someone point me to the original discussion/issue around this topic?
Thanks
Beta Was this translation helpful? Give feedback.
All reactions