New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vunerabilities found during dependency check is not shown in sonar UI #677
Comments
Are you able to reproduce the bug with the multi-module-maven example project? |
I'm experiencing this same issue. It seems that this plugin does not work properly with pull request analysis, because for any branches I do get proper vulnerabilities in SonarQube and I can see the HTML-report. However, for pull requests I can only see the HTML-report, but no vulnerabilities even if the vulnerabilities have been introduced in that particular pull request. |
@kauppine |
@Reamer Sure, I would gladly help. Do you have any tips or advice for debugging this plugin? And the problem is that if the pull request introduces new vulnerabilities, they are not being presented outside the HTML report. |
You can enable the debug log with
|
I took some look into it and noticed that SonarSource has this item in their backlog: https://portal.productboard.com/sonarsource/3-sonarqube/c/295-new-pull-request-issues-on-unchanged-code |
This is true, but generally a new vulnerable dependency is added when a change is made to a project file. How is it possible to create a new vulnerability without changing the project configuration file? |
@ckocyigit Works on my computer. |
Hi guys! Don't really know if someone solved this. |
Same issue here. SQ receives the reports for both non-PR as PR branches. For non-PR branches the quality gate fails and we can see a menu entry 'owasp dependency check' in the tab' measures' but for PR-branches however there is no such menu entry and the quality gate doens't fail. |
We are experiencing the same issue. The PR build and analysis creates and uploads a report to SonarQube with the rest of the analysis, but the vulnerabilities in the UI are 0 and the Quality Gate passes. For the non-PR branches, everything works fine.
Vulnerabilities appear over time. We analyze our production code weekly to see what is affected by new CVEs as some code is not modified for months at a time. I am going to see if I add a vulnerable package to one of my projects whether it will pick it up or not during a PR analysis. |
You are right, therefore you should check your main branch regularly. |
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days. |
This issue was closed because it has been stalled for 14 days with no activity. |
Can this issue be reopened? It is an existing issue that continues to be a problem for PRs. |
Hey all- and had to define properties Version: |
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days. |
Definitely still an issue, let's keep this open until it is addressed. |
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days. |
Still a problem. |
This still appears to be an with SonarQube "Community EditionVersion 8.9.10 (build 61524)". Sonar Scanner: 4.6 |
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days. |
Still a problem, keep it open |
Still nothing shown for |
idem, i have the same behavior on maven projects with Community Edition 9.9.3 and dependency-check-maven 9.0.9 |
seen here : #888, issue fixed with plugin 9.0.9 migrating on sonarqube dependency-check-sonar-plugin from 4.0.0 to 4.0.1 |
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days. |
I don't know if it's related but my owasp dependency report file doesn't seem to be fully analysed by sonar. |
Of course, run the Sonarscan plugin in debug mode. Maven example |
My sonarqube run as a systemd service, how can I add this option in this case ? |
You do not need to change the debug setting of SonarQube, but the debug setting of the SonarQube scanner. |
After some debug, I found two problems :
My 2c analyse: The first point should be addressed in sonarqueb configuration, files should be attributed to an language: I didn't find anyway to do it. Should dependency-check-sonar-plugin provides a dummy language that catch lock files ? The second point could be addressed in Owsap dependency-check with and option that changes (cd ?) root folder. Or maybe this plugin could provides an option to alter it before sending its report to sonar ? |
Describe the bug
We are using SonarQube 9.2.4 and dependency-check 7.1.1, dependency-check-sonar-plugin:2.0.8
As seen from our build output the the dependency check report (json) was analysed and was sucessfully uploaded in sonar
In sonarqube Ui under "dependency check" option as well we see the html report is available.
But We are not seeing these vulnerabilities numbers updated in the over all view section under vulnerabilities as seen below
I am using the following in our pom taking this example for multi module https://github.com/dependency-check/dependency-check-sonar-plugin/blob/master/examples/multi-module-maven/pom.xml as reference
Expected behavior
Expect to see the details under Vulnerabilities section too. Ie the counts of vulnerabilities and details of each vulnerabilities as shown here
Is there any thing left to be configured or something i have missed? Any help in debugging this further would be really appreciated.
The text was updated successfully, but these errors were encountered: