Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Appearance settings

Issue description being changed to different CVE on repeated runs #682

Copy link
Copy link
Open
@jordannstrong

Description

@jordannstrong
Issue body actions

Describe the bug
After addressing vulnerabilities in a previous analysis' report, some vulnerability issues within SonarQube are having their descriptions updated with the descriptions of other vulnerabilities that are present in the report. In some cases, issues that had been manually marked with a resolution had the resolution removed, making them appear as if they had never been resolved. Comments, tags, and other features that are managed directly by SonarQube remain the same, only the description and severity are changed to that of another issue.

To Reproduce

  1. Perform an analysis on a project that results in vulnerabilities.
  2. Resolve at least one of these vulnerabilities in code.
  3. Perform a second analysis.
  4. Some issues will have had their descriptions swapped, and/or their resolved status changed.

Current behavior
SonarQube vulnerability issue descriptions and severities are being mixed up on subsequent analyses.

Expected behavior
Each issue's description and severity should remain the same once the issue has been created.

Screenshots
I used comments to track the issues, by commenting the CVE that the issue was for after the first analysis. After the second analysis, it had changed from the one in the comment to the one in the description.
image

Versions (please complete the following information):

  • dependency-check: 6.5.1
  • sonarqube: 9.5.0.56709
  • dependency-check-sonar-plugin: 3.0.1

Additional context
This appears to be similar to #55.

Metadata

Metadata

Assignees

Labels

buglifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.Indicates that an issue or PR should not be auto-closed due to staleness.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions

    Morty Proxy This is a proxified and sanitized view of the page, visit original site.