Vulnerabilities not visible in Sonar on pull requests

[michalkochanowicz]

Describe the bug
When Sonar analyzes pull request, reported vulnerabilities are not visible in Sonar. They are visible on release branches. Applies to Java and TypeScript code.

For Java I tried using Maven plugin and invoking directly, both from Jenkins.

Shell command:

mvn install org.owasp:dependency-check-maven:check sonar:sonar -Dformats=json,html -Dhttp.proxyHost=XXX -Dhttp.proxyPort=8080 -Dhttps.proxyHost=XXX -Dhttps.proxyPort=8080 -Dhttp.nonProxyHosts=XXX -P CCC -P !DDD,!EEE -Dsonar.pullrequest.key=YYY -Dsonar.pullrequest.branch=feature/ZZZ -Dsonar.pullrequest.base=develop -Dsonar.pullrequest.bitbucketserver.project=AAA -Dsonar.pullrequest.bitbucketserver.repository=BBB javadoc:javadoc -DskipITs=false

Maven plugin setup:

<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <version>${dependency-check-maven.version}</version>
    <configuration>
        <autoUpdate>true</autoUpdate>
        <formats>
            <format>HTML</format>
            <format>JSON</format>
        </formats>
    </configuration>
    <executions>
        <execution>
            <goals>
                <goal>check</goal>
            </goals>
        </execution>
    </executions>
</plugin>

For TypeScript (Angular) I invoke directly.

For both cases vulnerabilities are written to the standard output, JSON and HTML reports.

HTML report is visible in Sonar.

Processing by Sonnar seems successful:

[INFO] Sensor Dependency-Check [dependencycheck]
[INFO] Process Dependency-Check report
[INFO] Using JSON-Reportparser
[INFO] Linking 96 dependencies
[WARNING] vulnerability CVE-2015-6644 is unscored. Using MEDIUM
[WARNING] vulnerability CVE-2015-6644 is unscored. Using MEDIUM
[INFO] Upload Dependency-Check HTML-Report
[INFO] Process Dependency-Check report (done) | time=412ms
[INFO] Sensor Dependency-Check [dependencycheck] (done) | time=413ms

To Reproduce
It would be helpful when you support us with example projects.
Steps to reproduce the behavior:

Analyze pull request with Sonar.

Current behavior
Vulnerabilities not visible in Sonar (except for embedded HTML report). Neither in overview nor in code sections.

Expected behavior
Vulnerabilities visible in Sonar in overview and in code sections.

Versions (please complete the following information):

• dependency-check: 6.2.2
• sonarqube: Developer EditionVersion 8.9 (build 43852)
• dependency-check-sonar-plugin: 2.0.8

[Reamer]

Pull request analysis is only available in a commercial version. Since I do not have access to such a version, I cannot reproduce this bug and therefore I am closing the issue. If you think you can correct the bug yourself, I will be happy to evaluate your incoming solution.

[andreasgebauer]

I am facing the same problem. You could also test this with https://github.com/mc1arke/sonarqube-community-branch-plugin. I am using this plugin too in order too avoid having to use commercial edition of SonarQube

[daudo]

adding my voice, too. We're using both the commercial version and the community edition with the community branch plugin.

I understand, that you @Reamer don't want to dig into the issue, so maybe I can figure it out myself. Any pointer where to start looking?

And, additionally, if I am not completely wrong, this used to work some time ago for branches as well, but I am not 100% sure about this.

[Reamer]

Any pointer where to start looking?

That's the code part that uploads the HTML report.
The code part that adds issues to your code.
The code part that downloads the HTML report from SonarQube to display it in the frontend.

Please note that a pull request should only indicate a new vulnerability if another vulnerability has been discovered which is so not in the main branch.

[emilekberg]

@daudo any luck? We are currently facing the same issue. We tried introducing a vulnerability in a pull request and does not raise warning about the introduced vulnerability, however we can see it in the json and html report.

I did also noticed the scanner does not identify .csproj changes in the changes, only the changes to the .cs files, I wonder if this can relate to this issue? Since the PR might not figure out that the .csproj has changed with a new vulnerability/dependency.

Versions:

• SonarQube: Developer Edition Version 8.9.6 (build 50800)
• Dependency Check: 7.1.0
• Dependency Check SonarQube Plugin: 2.0.7

[dszulist]

@daudo is there any progress? we are using developer edition and have the same issue

[tremblaysimon]

@Reamer I understand that you don't have a SonarQube developer/enterprise edition to be able to add and test that feature. But I think you should reconsider to open that issue again since I think it's a valid feature request and only to show to people who want to contribute they can.

[github-actions]

This issue was closed because it has been stalled for 14 days with no activity.

[Flash619]

I have experienced this same issue recently on some existing code. My findings were...

• The dependency-check-sonar plugin does identify CVEs and attempt to create issues with accurate data.
• SonarQube would not surface the issues reported by the dependency-check-sonar plugin.

I started researching deeper into why SonarQube was ignoring these issues, and it seems related to a support response.

As stated, SonarQube will only raise issues on changed lines of code, even if they have been reported by a plugin. The fix for me was to change the offending lines of code so that SonarQube would see them as modified. After the lines had been seen by SonarQube as modified within the PR, SonarQube allowed issues located within those lines (the CVE) to be raised.

Hope this helps someone!

[jenspopp]

Hi, I came across the same issue. Even if I introduce a vulnerability by changing values in maven dependency management section it will only be shown in the branch build (if my workflow allows both in parallel, PR and branch build). Additionally a dependency issue came up during the lifetime of the PR (in this case guava).
This is an issue, I can introduce a dependency that becomes "critical" during development on the PR... the PR will be mergeable...

[mjbs82]

Hi @Flash619 I'm interested in knowing more details about how you overcome this limitation. Could you please provide more details about changes you did in order to have vulnerabilitites raised in MR analysis? Thanks