Issues and hotspots doesn't include dependency-check vulnerabilities

[arturkasperek]

Describe the bug
I'm using the following settings when running the scanner:

        -Dsonar.dependencyCheck.securityHotspot=true \
        -Dsonar.dependencyCheck.jsonReportPath=owasp-reports/dependency-check-report.json \
        -Dsonar.dependencyCheck.htmlReportPath=owasp-reports/dependency-check-report.html \
        -Dsonar.dependencyCheck.xmlReportPath=owasp-reports/dependency-check-report.xml \

I don't see any errors on SQ server or gitlabCI job dependency check logs. After all, I can see an extra item to access the report:

It has vulnerabilities and right now don't sure why they are not included either on Issues or Security hotspots
In previous versions I saw that dependency check sonar plugin was also reporting on Issues - don't sure why it doesn't work

Versions (please complete the following information):

• dependency-check: v9.2.0
• sonarqube: 10.4.1.88267
• dependency-check-sonar-plugin: 5.0.0

[Reamer]

xmlReportPath is deprecated and removed.
Security Hotspot Feature is deprecated as well.

[arturkasperek]

@Reamer hm - can I somehow integrate deps scan audit with sq native issues?

[Erry91]

I am also interested in how to make vulnerabilities detections reported in the dependency-check scan appear in either "Issues" or "Security Hotspots"

[Reamer]

@Reamer hm - can I somehow integrate deps scan audit with sq native issues?

Try deactivating the security hotspot feature.

[mutzbraten]

xmlReportPath is deprecated and removed. Security Hotspot Feature is deprecated as well.

Where do I find documentation about the deprecation of security hotspot feature?
Is there any alternative suggested?
Does this mean, the bug will not be fixed?

[Reamer]

Where do I find documentation about the deprecation of security hotspot feature?

I think here: https://docs.sonarsource.com/sonarqube/latest/user-guide/security-hotspots/

Issue types (bug, vulnerability, and code smell) are deprecated

Generally speaking, I can no longer mark a rule as a security hotspot in the source code. I think therefore I can not fix this bug.

[Reamer]

Checkout SonarSource/sonar-plugin-api@6785fea for more

[arturkasperek]

@Reamer is there a way to integrate deps audit results on some native sonarqube view?
Right now this plugin only enables to display HTML with results. Im using sq 10.4 (in previous version it worked fine and integrated)

[Reamer]

This could be possible. However, I am not a frontend developer and therefore cannot implement this requirement.

[arturkasperek]

@Reamer, I don't have frontend tweaks on my mind.
Sonarqube has a native solution to register custom issues. I think with the old SQ version, issues from dependency check step were correctly registered - right now I don't see anymore any issues

[rupreck]

xmlReportPath is deprecated and removed. Security Hotspot Feature is deprecated as well.

This is a very important plugin but the change to no longer support dependency CVE's as Security Hotspots is a real disappointment. As Security Hotspots they were well presented and allowed a history of changes with notes providing traceability. As Security Issues, changes are less visible and they are not presented well. Is there any way / plan to have this capability restored? Security Hotspots are a major focus area in SonarQube.

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

[david-vdd]

The html report is working fine, however, I'm also unable to get any indication of vulnerabilities(either issues or security hotspots) in Sonar using the latest version of sonarqube, the plugin and the dependency check.