Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Vulnerabilities not visible in Sonar on pull requests #485

New issue
Copy link
New issue
Copy link
Open
Open
Vulnerabilities not visible in Sonar on pull requests#485
Copy link
Labels
buglifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.Indicates that an issue or PR should not be auto-closed due to staleness.
@michalkochanowicz

Description

@michalkochanowicz
michalkochanowicz
opened on Aug 20, 2021
Issue body actions

Describe the bug
When Sonar analyzes pull request, reported vulnerabilities are not visible in Sonar. They are visible on release branches. Applies to Java and TypeScript code.

For Java I tried using Maven plugin and invoking directly, both from Jenkins.

Shell command:

mvn install org.owasp:dependency-check-maven:check sonar:sonar -Dformats=json,html -Dhttp.proxyHost=XXX -Dhttp.proxyPort=8080 -Dhttps.proxyHost=XXX -Dhttps.proxyPort=8080 -Dhttp.nonProxyHosts=XXX -P CCC -P !DDD,!EEE -Dsonar.pullrequest.key=YYY -Dsonar.pullrequest.branch=feature/ZZZ -Dsonar.pullrequest.base=develop -Dsonar.pullrequest.bitbucketserver.project=AAA -Dsonar.pullrequest.bitbucketserver.repository=BBB javadoc:javadoc -DskipITs=false

Maven plugin setup:

<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <version>${dependency-check-maven.version}</version>
    <configuration>
        <autoUpdate>true</autoUpdate>
        <formats>
            <format>HTML</format>
            <format>JSON</format>
        </formats>
    </configuration>
    <executions>
        <execution>
            <goals>
                <goal>check</goal>
            </goals>
        </execution>
    </executions>
</plugin>

For TypeScript (Angular) I invoke directly.

For both cases vulnerabilities are written to the standard output, JSON and HTML reports.

HTML report is visible in Sonar.

Processing by Sonnar seems successful:

[INFO] Sensor Dependency-Check [dependencycheck]
[INFO] Process Dependency-Check report
[INFO] Using JSON-Reportparser
[INFO] Linking 96 dependencies
[WARNING] vulnerability CVE-2015-6644 is unscored. Using MEDIUM
[WARNING] vulnerability CVE-2015-6644 is unscored. Using MEDIUM
[INFO] Upload Dependency-Check HTML-Report
[INFO] Process Dependency-Check report (done) | time=412ms
[INFO] Sensor Dependency-Check [dependencycheck] (done) | time=413ms

To Reproduce
It would be helpful when you support us with example projects.
Steps to reproduce the behavior:

Analyze pull request with Sonar.

Current behavior
Vulnerabilities not visible in Sonar (except for embedded HTML report). Neither in overview nor in code sections.

Expected behavior
Vulnerabilities visible in Sonar in overview and in code sections.

Versions (please complete the following information):

  • dependency-check: 6.2.2
  • sonarqube: Developer EditionVersion 8.9 (build 43852)
  • dependency-check-sonar-plugin: 2.0.8
tremblaysimon, andreasgebauer and Flash619tremblaysimon

Metadata

Metadata

Assignees

No one assigned

    Labels

    buglifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.Indicates that an issue or PR should not be auto-closed due to staleness.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      Morty Proxy This is a proxified and sanitized view of the page, visit original site.