Lab 8 Page 1 of 5

Jenkins Warnings Next Generation Plugin

Overview

In this lab, you are going to learn how to use Jenkins Warnings Next Generation Plugin to
generate static code analysis report.

The Jenkins Warnings Next Generation Plugin collects compiler warnings or issues reported by
static analysis tools and visualizes the results. It has built-in support for numerous static analysis
tools (including several compilers),

Outcomes
Upon completion of this session, you should be able to
• Use Jenkins Warnings Next Generation Plugin to analysis source code

• Select the suitable SAST for your team project

• Start incorporating Jenkins Pipeline with Static Code Analysis into your team project

ICT3103 / 3203 Secure Software Development Raymond, Tram, Marcus October 2023
 Lab 8 Page 2 of 5

1: Installation
This lab is based on the instruction https://github.com/jenkinsci/warnings-ng-
plugin/blob/master/doc/Documentation.md and the Vulnado - Intentionally Vulnerable Java
Application https://github.com/ScaleSec/vulnado , but it also requires different docker SAST image
/ software to be installed before you can incorporate Jenkins Pipeline.

1. Install the Warnings Next Generation Plugin under the Plugin Manager

2. Restart Jenkins

ICT3103 / 3203 Secure Software Development Raymond, Tram, Marcus October 2023
 Lab 8 Page 3 of 5

2. Install and Configure Maven in Jenkins

In this step, we are going to install and configure Maven in Jenkins. For this, we have to
download the Maven binary from the official website. At the time of writing, the Apache Maven
version is 3.6.3.

The guide is assuming that you are running Jenkins through Docker, so to install Maven binary,
you need to follow the below-mentioned steps:
$ docker exec -it jenkins-container /bin/bash

$ cd /var/jenkins_home

$ curl http://mirrors.estointernet.in/apache/maven/maven-3/3.6.3/binaries/apache-maven-
3.6.3-bin.tar.gz --output apache-maven-3.6.3-bin.tar.gz

$ tar -xvzf apache-maven-3.6.3-bin.tar.gz && cd apache-maven-3.6.3

Now as you have downloaded the required binary, copy the path for later use:
$ pwd

/var/jenkins_home/apache-maven-3.6.3

Install Maven Plugins in Jenkins

To install Maven plugins. Go to Dashboard > Manage Jenkins > Manage Plugins > Available and
search for Maven, as shown below:

On the next page, along with Maven Integration and Maven Invoker, you will see some additional
dependencies getting installed, which are required for both plugins to work.

ICT3103 / 3203 Secure Software Development Raymond, Tram, Marcus October 2023
 Lab 8 Page 4 of 5

Now, let’s set the Maven path which you copied from the Jenkins's Container. Go to Dashboard >
Manage Jenkins > Global Tool Configuration and find Maven to set the extracted binary home
directory path, which is, /var/jenkins_home/apache-maven-3.6.3

Save the setting, following which your Maven application is all set to go.

ICT3103 / 3203 Secure Software Development Raymond, Tram, Marcus October 2023
 Lab 8 Page 5 of 5

3: Configuration
1. Create a new pipeline project, and use the following Jenkinsfile in your pipeline:

pipeline {
agent any
stages {
stage ('Checkout') {
steps {
git branch:'master', url: 'https://github.com/ScaleSec/vulnado.git'
}
}

stage ('Build') {
steps {
sh '/var/jenkins_home/apache-maven-3.6.3/bin/mvn --batch-mode -V -U -e clean
verify -Dsurefire.useFile=false -Dmaven.test.failure.ignore'
}
}

stage ('Analysis') {
steps {
sh '/var/jenkins_home/apache-maven-3.6.3/bin/mvn --batch-mode -V -U -e
checkstyle:checkstyle pmd:pmd pmd:cpd findbugs:findbugs'
}
}
}
post {
always {
junit testResults: '**/target/surefire-reports/TEST-*.xml'
recordIssues enabledForFailure: true, tools: [mavenConsole(), java(), javaDoc()]
recordIssues enabledForFailure: true, tool: checkStyle()
recordIssues enabledForFailure: true, tool: spotBugs(pattern:
'**/target/findbugsXml.xml')
recordIssues enabledForFailure: true, tool: cpd(pattern: '**/target/cpd.xml')
recordIssues enabledForFailure: true, tool: pmdParser(pattern: '**/target/pmd.xml')
}
}
}

ICT3103 / 3203 Secure Software Development Raymond, Tram, Marcus October 2023
 Lab 8 Page 6 of 5

2. Please note that Warnings Next Generation Plugin support different languages by applying
different SAST, please refer to https://github.com/jenkinsci/warnings-ng-
plugin/blob/master/SUPPORTED-FORMATS.md and include the languages that you are using.

ICT3103 / 3203 Secure Software Development Raymond, Tram, Marcus October 2023
 Lab 8 Page 7 of 5

3. You may check the Warnings from different tools in the build information

4: Reference
https://github.com/jenkinsci/warnings-ng-
plugin/blob/master/doc/Documentation.md#configuration
https://appfleet.com/blog/ci-dc-pipeline-using-jenkins-git-and-maven/

END OF DOCUMENT

ICT3103 / 3203 Secure Software Development Raymond, Tram, Marcus October 2023