Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Report content is not deplyed within SonarQube #979

Open
ahmadalfy opened this issue Aug 12, 2024 · 3 comments
Open

Report content is not deplyed within SonarQube #979

ahmadalfy opened this issue Aug 12, 2024 · 3 comments
Labels
bug

Comments

@ahmadalfy
Copy link

ahmadalfy commented Aug 12, 2024
edited
Loading

I am using SonarQube v10.6 and version 5.0 of the plugin. Dependency check runs from this docker image and it uses the latest version. It runs on gitlab-ci.

This is the command that runs the scanner in the CI

/usr/share/dependency-check/bin/dependency-check.sh
      --scan "./"
      --format ALL
      --project "$CI_PROJECT_NAME"
      --enableExperimental
      --failOnCVSS 0
      --suppression /suppressions/npm_fp_suppression.xml
      --suppression /suppressions/npm_na_suppressions.xml

Note the --enableExperimental flag because I am using composer as a package manager.

The scanner generates the reports successfully and I keep the artifacts; HTML and JSON. Those artifacts are then passed to SonarQube and it successfuly loads the plugin and import those files as per logs here:

DEBUG: Plugins loaded:
DEBUG:   * Dependency-Check 5.0.0 (dependencycheck)
...
...
...
DEBUG: Sensors : Dependency-Check -> Zero Coverage Sensor
INFO: Sensor Dependency-Check [dependencycheck]
INFO: Dependency-Check - Start
INFO: Using JSON-Reportparser
INFO: No project configuration file, e.g. pom.xml, *.gradle, *.gradle.kts, package-lock.json found, therefore it isn't possible to correctly link dependencies with files.
INFO: Linking 101 dependencies
...
...
...
DEBUG: Saving Metrics to project DependencyCheckMetric [inputcomponent=[key=project], totalDependencies=101, vulnerableDependencies=2, vulnerabilityCount=4, highIssuesCount=1, mediumIssuesCount=0, lowIssuesCount=1]
DEBUG: Save measures on [key=project]
INFO: Upload Dependency-Check HTML-Report
INFO: Dependency-Check - End
INFO: Sensor Dependency-Check [dependencycheck] (done) | time=3903ms

As you can see the scanner didn't check composer.lock but the reported metrics contain information about those vulnerabilities. Now let me show you how it looks when it's created on SonarQube:

The security hotspot: No information about the vulnerabilities. These are all different vulnerabilities from the code

image

The issues: Show no vulnerability

image

The metrics: Show this conclusion

image

But when you clicn anything you just see the files tree

image

The HTML works as expected

image

And it shows vulnerabilities reported by dependency check

image

Now what's wrong with what I am doing? Why the dependencies are not showing on SonarQube with details about the CVE and other details?
@ahmadalfy ahmadalfy added the bug label Aug 12, 2024
@abhishekbhilare123
Copy link

hi @ahmadalfy ,
even we are also facing same issue where it working for PHP but not for java and other languages.
image
but html works as expected. not bing displayed on the sonarqube UI.

@github-actions GitHub Actions
Copy link

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 30, 2024
@ahmadalfy
Copy link
Author

This problem has not been fixed

@github-actions github-actions bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ahmadalfy @abhishekbhilare123