Not resolving ENV var in GitHub Actions

[lbenedetto]

Describe the bug
Plugin does not resolve env vars to determine path.

If I hardcode the sonar.dependencyCheck.htmlReportPath as /runner/_work/MyProject/MyProject/build/reports/dependency-check-report.html then everything works as expected.
But I need to set the path in such a way that it works for all my projects, so I tried configuring the path in SonarQube like this:

${{github.workspace}}/build/reports/dependency-check-report.html
${GITHUB_WORKSPACE}/build/reports/dependency-check-report.html
${DEPENDENCY_REPORT_PATH}/dependency-check-report.html

But none of those worked.

I also tried setting the path via systemProp.sonar.dependencyCheck.htmlReportPath in gradle.properties

However, I have confirmed that it is the correct path, since I have an upload artifact step that uses that same path.

To Reproduce
Github Actions workflow steps:

      - name: Prepare dependency report
        run: ./gradlew dependencyCheckAggregate

      - name: Upload dependency check results
        uses: actions/upload-artifact@master
        with:
          name: dependency check reporty
          path: ${{ github.workspace }}/build/reports

      - name: Build and analyze
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
          DEPENDENCY_REPORT_PATH: "${{ github.workspace }}/build/reports"
        run: ./gradlew build sonarqube -x test --info

Current behavior
Error: No HTML-Report found. Please check property sonar.dependencyCheck.htmlReportPath

Expected behavior
It should resolve the env var and find the file

Versions:

• dependency-check: 7.3.0
• sonarqube: 9.6
• dependency-check-sonar-plugin: 3.0.1

[Reamer]

As far as I know, environment variables are not supported for configuration.
I would recommend that you store the configuration in each project.
Take a look at this example.

dependency-check-sonar-plugin/examples/single-module-gradle/build.gradle

Lines 35 to 41 in a92c14f

	sonarqube {
	properties {
	property 'sonar.dependencyCheck.jsonReportPath', 'build/reports/dependency-check-report.json'
	property 'sonar.dependencyCheck.htmlReportPath', 'build/reports/dependency-check-report.html'
	properties["sonar.sources"] += "build.gradle"
	}
	}

If you don't want to go this way, there would still be the possibility to pass the configuration when calling gradle. Use the -Doption for this. Example: -Dsonar.dependencyCheck.htmlReportPath=${ github.workspace }/build/reports.
Here you need to make sure that the caller resolves the environment varaible beforehand. SonarQube does not do this.

[lbenedetto]

Ah ok, I was mislead by the documentation

I guess I incorrectly assumed that these properties could be set the same through the SonarQube UI.

[lbenedetto]

Wait a minute, the default value in SonarQube includes an ENV var. So either it should be fixed so that the ENV var is resolved or the default value should be changed.

[Reamer]

This default value comes from the deep history of this plugin. Originally probably for Jenkins. Here Jenkins has resolved the path.
To which new default value should the paths be set?

[lbenedetto]

If the default value currently works in Jenkins then nevermind.
If the default value currently does not work in Jenkins, then I have no idea what it should default to instead.

[kauppine]

It does not work currently in Jenkins, from Jenkins logs I can the plugin trying to use literal path C:\jenkins\${WORKSPACE}\dependency-check-report.json

I think the culprit is this method not resolving envs:

dependency-check-sonar-plugin/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/report/JsonReportFile.java

Line 34 in 56a0602

File report = pathResolver.relativeFile(fileSystem.baseDir(), path);