From 73e087a9f53444649436d71145da155a34e35039 Mon Sep 17 00:00:00 2001
From: Anupong Hompan <anupong@v-smart.com>
Date: Mon, 20 Oct 2025 12:32:04 +0700
Subject: [PATCH] Update Jenkinsfile

---
 Jenkinsfile | 52 +++++++++++++++++++++++++++++++++++++++++++---------
 1 file changed, 43 insertions(+), 9 deletions(-)

diff --git a/Jenkinsfile b/Jenkinsfile
index 3d708f0..c30f29f 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -100,7 +100,7 @@ pipeline {
       agent any
       steps {
         sh '''
-          set -e
+          set -euo pipefail
           export PATH="$HOME/.dotnet:$PATH"
 
           echo "=== NuGet vulnerability audit ==="
@@ -108,16 +108,50 @@ pipeline {
           dotnet list package --vulnerable || true
 
           echo "=== OWASP Dependency-Check (no Docker) ==="
+          rm -f depcheck.zip || true
+          rm -rf dependency-check || true
           mkdir -p depcheck
-          DC_VER=latest
-          # Grab the release (platform-independent zip)
-          curl -Ls -o depcheck.zip \
-            https://github.com/jeremylong/DependencyCheck/releases/${DC_VER}/download/dependency-check-${DC_VER}-release.zip || \
-          curl -Ls -o depcheck.zip \
-            https://github.com/jeremylong/DependencyCheck/releases/latest/download/dependency-check-release.zip
-          rm -rf dependency-check && mkdir dependency-check
+
+          API="https://api.github.com/repos/jeremylong/DependencyCheck/releases/latest"
+
+          # Try to resolve the proper asset download URL (the one that ends with -release.zip)
+          echo "Resolving Dependency-Check latest asset URL from GitHub API..."
+          ASSET_URL="$(curl -fsSL "$API" \
+            | jq -r '.assets[]?.browser_download_url | select(test("release\\.zip$"))' \
+            | head -n1 || true)"
+
+          # Fallback: build URL from tag_name (handles tags like vX.Y.Z)
+          if [ -z "${ASSET_URL:-}" ]; then
+            TAG="$(curl -fsSL "$API" | jq -r '.tag_name' || true)"
+            if [ -n "${TAG:-}" ]; then
+              VER="${TAG#v}"
+              ASSET_URL="https://github.com/jeremylong/DependencyCheck/releases/download/${TAG}/dependency-check-${VER}-release.zip"
+            fi
+          fi
+
+          if [ -z "${ASSET_URL:-}" ]; then
+            echo "ERROR: Could not resolve Dependency-Check release asset URL."
+            exit 9
+          fi
+
+          echo "Downloading: $ASSET_URL"
+          curl -fL --retry 3 --retry-all-errors -o depcheck.zip "$ASSET_URL"
+
+          # sanity check the zip (avoid half-downloaded HTML files)
+          file depcheck.zip || true
+          unzip -tq depcheck.zip || { echo "Downloaded file is not a valid ZIP"; exit 9; }
+
+          mkdir -p dependency-check
           unzip -q depcheck.zip -d dependency-check
-          DC_BIN=$(echo dependency-check/dependency-check*/bin/dependency-check.sh)
+
+          DC_BIN="$(echo dependency-check/dependency-check*/bin/dependency-check.sh)"
+          if [ ! -x "$DC_BIN" ]; then
+            echo "ERROR: dependency-check.sh not found under extracted folder"
+            ls -la dependency-check || true
+            exit 9
+          fi
+
+          # Run scan (no NVD update to keep CI fast)
           bash "$DC_BIN" \
             --format "HTML,XML" \
             --project "AS400_API_DOTNET" \