I have a pom.xml with an OWASP dependency check profile:
<!-- Profile to run owasp security checks. To activate, use -Dowasp=true -->
<profile>
<id>owasp-security-checks</id>
<activation>
<property>
<name>owasp</name>
<value>true</value>
</property>
</activation>
<build>
<plugins>
<!-- Tests for vulnerabilities in dependencies. -->
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>7.4.4</version>
<configuration>
<skipProvidedScope>true</skipProvidedScope>
<skipRuntimeScope>true</skipRuntimeScope>
<!-- Fail on high or critical severity -->
<failBuildOnCVSS>7</failBuildOnCVSS> <!-- None (0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0) -->
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
This works as expected when executed with
sh 'mvn clean verify -U -Dowasp=true -DskipTests'
However, the plugin checks if the CVE database needs to be updated, and this sometimes fails. I want to separate the database update from the scanning, so I can run the update once a day at a specific time. Another advantage would be that, with different Jenkins jobs for updating and scanning, it would be easier to differentiate between update problems and scan issues.
However, I seem unable to find instruction how to do this, or (probably) I'm looking in the wrong place.