Sonarqube + dependency-check plugin for dotnet #473
Comments
|
In general, we need to analyze the dotnet project file so that we can link new SonarQube issues against parts of this file. |
|
Hello, @Reamer, thank you for answer. In project we have .csproj file and sonar links all issue with parts of code. I do not see any problem with work of SQ, only this warning. |
|
This plugin converts all vulnerabilities found by dependency-check into SonarQube issues and tries to link these issues to a project file (e.g. pom.xml, package-lock.json ...). So this project file must be part of To find the correct line in this project file, the plugin analyzes this file. If no project file is found as in your case this plugin links the issues against the SonarQube project. This has several disadvantages when working with the issues.
|
|
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days. |
github-actions
bot
added
the
lifecycle/stale
Reamer
added
lifecycle/frozen
Hello, I am use Sonarqube EE 8.4.2 with Dependency-Check plugin v 2.0.6
SonarQube parse json-report. But in logs for dotnet-project i see such info warning:
“INFO: No project configuration file, e.g. pom.xml, .gradle,.gradle.kts,package-lock.json found, therefore it isn’t possible to correctly link dependencies in file”.
And then:
“INFO: Linking 41 dependencies”
Can you tell me, please, what does it mean for dotnet-project and does it affect to work with vulnerable dependencies in sonar? As i see, sonar linking dependencies and create vulnerability in project page.
The text was updated successfully, but these errors were encountered: