Vunerabilities found during dependency check is not shown in sonar UI

[sudhirpandey]

Describe the bug

We are using SonarQube 9.2.4 and dependency-check 7.1.1, dependency-check-sonar-plugin:2.0.8

As seen from our build output the the dependency check report (json) was analysed and was sucessfully uploaded in sonar

In sonarqube Ui under "dependency check" option as well we see the html report is available.

But We are not seeing these vulnerabilities numbers updated in the over all view section under vulnerabilities as seen below

I am using the following in our pom taking this example for multi module https://github.com/dependency-check/dependency-check-sonar-plugin/blob/master/examples/multi-module-maven/pom.xml as reference

 <properties>
        <sonar.dependencyCheck.jsonReportPath>target/dependency-check-report.json</sonar.dependencyCheck.jsonReportPath>
        <sonar.dependencyCheck.htmlReportPath>target/dependency-check-report.html</sonar.dependencyCheck.htmlReportPath>
    </properties>

<plugins>
            <plugin>
                    <groupId>org.sonarsource.scanner.maven</groupId>
                    <artifactId>sonar-maven-plugin</artifactId>
            </plugin>
           <plugin>
                    <groupId>org.owasp</groupId>
                    <artifactId>dependency-check-maven</artifactId>
                    <version>7.1.1.</version>
                   <executions>
                        <execution>
                             <goals>
                                <goal>aggregate</goal>
                            </goals>
                    </execution>
                 </executions>
                 <configuration>
                     <formats>
                         <format>ALL</format>
                    </formats>
                </configuration>
            </plugin>
<plugins>

Expected behavior
Expect to see the details under Vulnerabilities section too. Ie the counts of vulnerabilities and details of each vulnerabilities as shown here

Is there any thing left to be configured or something i have missed? Any help in debugging this further would be really appreciated.

[Reamer]

Are you able to reproduce the bug with the multi-module-maven example project?

[kauppine]

I'm experiencing this same issue.
I am using SonarQube 8.9.8 with plugin version 3.0.1 and Dependency-Check 7.1.1 I'm also using Jenkins to analyze .csproj files with NuGet dependencies.

It seems that this plugin does not work properly with pull request analysis, because for any branches I do get proper vulnerabilities in SonarQube and I can see the HTML-report. However, for pull requests I can only see the HTML-report, but no vulnerabilities even if the vulnerabilities have been introduced in that particular pull request.

[Reamer]

@kauppine
The pull request feature is commercial, so I can't verify this.
If you can improve this plugin with the pull request feature, I would be very grateful for pull requests.
Please note that the pull request should only show new issues which are not included in the main branch. I don't know if SonarQube displays issues in PullRequest which disappear with a merge.

[kauppine]

@Reamer Sure, I would gladly help. Do you have any tips or advice for debugging this plugin? And the problem is that if the pull request introduces new vulnerabilities, they are not being presented outside the HTML report.

[Reamer]

You can enable the debug log with -X, if you are using maven.
The main entrypoint of the plugin -> https://github.com/dependency-check/dependency-check-sonar-plugin/blob/master/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/DependencyCheckSensor.java#L148
To get you started, I've documented the main calls a bit.
Please note that the HTML report has nothing to do with the rest of the analysis.

    @Override
    public void execute(SensorContext sensorContext) {
        Profiler profiler = Profiler.create(LOGGER);
        profiler.startInfo("Process Dependency-Check report");
        if (DependencyCheckUtils.skipPlugin(sensorContext.config())) {
            LOGGER.info("Dependency-Check skipped");
        } else {
            Optional<Analysis> analysis = parseAnalysis(sensorContext);     ----> we try to parse the JSON or XML file (deprecated) to get a Java object with the required information
            if (analysis.isPresent()) {
                DependencyReasonSearcher dependencyReasonSearcher = new DependencyReasonSearcher(sensorContext); ---> We read in project files. Currently gradle, pom.xml and package-lock.json are supported.
                dependencyReasonSearcher.addDependenciesToInputComponents(analysis.get(), sensorContext);    ---> We look for the best position in the text project file where we can link the found vulnerable dependency. If there is no project file, then it is linked against the project. However, this behavior is not deterministically mapped in SonarQube, which is why bugs occur here.
                if (analysisWarnings != null ) {
                    addWarnings(analysis.get());
                }
            }
            uploadHTMLReport(sensorContext);
        }
        profiler.stopInfo();
    }

[kauppine]

I took some look into it and noticed that SonarSource has this item in their backlog: https://portal.productboard.com/sonarsource/3-sonarqube/c/295-new-pull-request-issues-on-unchanged-code
It says that "Currently, Pull Request analysis don’t report new issues raised on old code and issues raised at file level."
If I've understood correctly this pluging raises the issues on a file level.

[Reamer]

I've understood correctly this pluging raises the issues on a file level.

This is true, but generally a new vulnerable dependency is added when a change is made to a project file. How is it possible to create a new vulnerability without changing the project configuration file?

[Reamer]

@ckocyigit Works on my computer.

[sspizzirri]

Hi guys! Don't really know if someone solved this.
The issue i'm having is the only place sonar is showing me issues with vulnerabilities and stoping my pipeline is just in master.
Wether i run it in a dev branch, or a feature branch (other pull request) sonar doesn't fail and shows no vulnerabilities, but when I go to more -> dependency-check my report is there and it has vulnerabilities.
I'm using dep-check 7.2.1 and 2.0.8 for the sonar dep-check plugin.

[davidcyp]

Same issue here. SQ receives the reports for both non-PR as PR branches. For non-PR branches the quality gate fails and we can see a menu entry 'owasp dependency check' in the tab' measures' but for PR-branches however there is no such menu entry and the quality gate doens't fail.

[james-a-morgan]

We are experiencing the same issue. The PR build and analysis creates and uploads a report to SonarQube with the rest of the analysis, but the vulnerabilities in the UI are 0 and the Quality Gate passes. For the non-PR branches, everything works fine.

This is true, but generally a new vulnerable dependency is added when a change is made to a project file. How is it possible to create a new vulnerability without changing the project configuration file?

Vulnerabilities appear over time. We analyze our production code weekly to see what is affected by new CVEs as some code is not modified for months at a time.

I am going to see if I add a vulnerable package to one of my projects whether it will pick it up or not during a PR analysis.

[Reamer]

Vulnerabilities appear over time. We analyze our production code weekly to see what is affected by new CVEs as some code is not modified for months at a time.

You are right, therefore you should check your main branch regularly.

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

[github-actions]

This issue was closed because it has been stalled for 14 days with no activity.

[michalszelagsonos]

Can this issue be reopened? It is an existing issue that continues to be a problem for PRs.

[path2light]

Hey all-
I was facing the exact above issue (as OP). Managed to overcome it by adding the following attributes.
For dependency-check-maven
<configuration> <formats> <format>HTML</format> <format>JSON</format> </formats> </configuration>

and had to define properties
sonar.dependencyCheck.jsonReportPath
sonar.dependencyCheck.xmlReportPath

Version: sonarqube-9.9.0.65466, dependency-check-maven: 8.3.1
:)

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

[michalszelagsonos]

Definitely still an issue, let's keep this open until it is addressed.

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

[michalszelagsonos]

Still a problem.

[arnabcse28]

This still appears to be an with SonarQube "Community EditionVersion 8.9.10 (build 61524)". Sonar Scanner: 4.6

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

[michalszelagsonos]

Still a problem, keep it open

[andrzej-talarek]

Still nothing shown for Community EditionVersion 10.3 (build 82913) and plugin version 4.0.1.
What is strange, I can browse dependency-check report via sonarqube UI, but they are not reported in SECURITY ratings.

[ghaudiquet13]

idem, i have the same behavior on maven projects with Community Edition 9.9.3 and dependency-check-maven 9.0.9
Issue disappears with dependency-check-maven 8.4.3

[ghaudiquet13]

seen here : #888, issue fixed with plugin 9.0.9 migrating on sonarqube dependency-check-sonar-plugin from 4.0.0 to 4.0.1

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

[obriat]

I don't know if it's related but my owasp dependency report file doesn't seem to be fully analysed by sonar.
Although the html report is available under the "Dependency-Check" and the numbers shown in the measure tab match the report, the Vulnerability issues does not seems include the "Dependency-Check" ones. The issue number is far lower (30 against 500) and seems unrelated (Vulnerability issues files don't match the "Dependency-Check" ones).
Is there a way to debug this behaviour?

[Reamer]

Is there a way to debug this behaviour?

Of course, run the Sonarscan plugin in debug mode.

Maven example mvn sonar:sonar -X

[obriat]

My sonarqube run as a systemd service, how can I add this option in this case ?

[Reamer]

You do not need to change the debug setting of SonarQube, but the debug setting of the SonarQube scanner.

[obriat]

After some debug, I found two problems :

• Messages 'yarn.lock' indexed with no language and 'composer.lock' indexed with no language: these files are analysed by depency-check but are not analysed by sonarqube, so all dependencies alerts are attributed to "lookalikes" files in sonar
• With gitlab-ci, sonarsource/sonar-scanner-cli docker container send relative paths but the gitlab-ci-utils/docker-dependency-check docker container use full path ( starting from the container inner root /). Again sonarqube could not match the reported paths exactly and attributed alerts to "lookalikes" files.

My 2c analyse:

The first point should be addressed in sonarqueb configuration, files should be attributed to an language: I didn't find anyway to do it. Should dependency-check-sonar-plugin provides a dummy language that catch lock files ?

The second point could be addressed in Owsap dependency-check with and option that changes (cd ?) root folder. Or maybe this plugin could provides an option to alter it before sending its report to sonar ?