Using the owasp-dependency-check via the Maven plugin and submitting the results into sonar via this plugin gives me some weird issues.

On each run of the Maven build the Sonar plugin mixes up the reported vulnerabilities with already existing ones. One could observe this phenomenon when some of the found vulnerabilities were marked with a different status or augmented with comments. After the Maven build some of the changed status values and comments are then associated with different (existing) issues.

I was debugging this issue by looking at the data stored in my local Sonar postgres database. Sonar is storing the status values in the table 'issues'. After another run of the Maven build message (description) values of existing issues is updated with another issue's message. The prior status value, however, stays the same. I can reproduce this issue easily when running:

$ mvn sonar:sonar

I'm using:

• Apache Maven 3.5.2
• dependency-check-maven 3.1.1
• dependency-check-sonar-plugin 1.1.0 (installed via SonarQube Marketplace)
• SonarQube 7.0

Did anyone else experience something like this before?

Thx