Cannot analyze dependency check report from Jenkins about dependency-check-sonar-plugin HOT 12 CLOSED

Did you specify:

sonar.dependencyCheck.reportPath

(case sensitive)

from dependency-check-sonar-plugin.

dependency-check-report.xml no longer needs to be part of the paths defined in sonar.sources. Can you test 1.0.3 and let me know if you're still having trouble.

from dependency-check-sonar-plugin.

I have installed the 1.0.3 version of the plugin. But still facing the same issue. I think the sensor ot getting invoked is the issue.

<sonar.src>.</sonar.src>
<sonar.dependencyCheck.reportPath>${project.build.directory}/dependency-check-report.xml</sonar.dependencyCheck.reportPath>

SOnar logs: Clearly shows the plugin is loaded, but sensor is not invoked. Do i need to decalre anything additional in the pom except the report path.

owasp-debug.txt

Note: the report is available in Jekins ${WORKSPACE}\dependency-check-report.xml

from dependency-check-sonar-plugin.

The plugin appears to be downloading, but it's not getting invoked. You should see something like this in your logs:

INFO - Sensor OWASP Dependency-Check
INFO - Process Dependency-Check report
INFO - Process Dependency-Check report (done) | time=977ms
INFO - Sensor OWASP Dependency-Check (done) | time=979ms

Setting sonar.dependencyCheck.reportPath is all that's required. If the plugin cannot find the report, you'll see this in the logs:

WARN - Dependency-Check report does not exist. SKIPPING. Please check property sonar.dependencyCheck.reportPath: path/to/dependency-check-report.xml

But I'm not even seeing that, which leads me to believe that Sonar isn't even running the plugin.

from dependency-check-sonar-plugin.

@stevespringett , I have tried re-installing and with different instances of Sonar. The result is the same.

from dependency-check-sonar-plugin.

Are you using Sonar Runner, Sonar Jenkins plugin, or Sonar Maven plugin to kick off the job?

from dependency-check-sonar-plugin.

Sonar Jenkins plugin

from dependency-check-sonar-plugin.

Using:
Jenkins 1.609.1
Jenkins SonarQube Plugin 2.3 (configured with SonarQube Runner 2.3 or 2.4)
SonarQube 5.2

I cannot reproduce the issue on a new/default SonarQube install using the embedded database. I typically use the following properties in a SonarQube build step in the Jenkins job config:

sonar.projectKey=my-project-key
sonar.projectName=my-project-name
sonar.projectVersion=1.0.0-SNAPSHOT
sonar.sources=${WORKSPACE}/src
sonar.dependencyCheck.reportPath=target/dependency-check-report.xml

Have you tried the examples?

from dependency-check-sonar-plugin.

I will give it a try soon and then keep you posted.

from dependency-check-sonar-plugin.

Closing. If you're still having issues, feel free to reopen or create a new ticket

from dependency-check-sonar-plugin.

sorry for the delay. it worked fine

from dependency-check-sonar-plugin.

Hello.

I'm using Sonar 5.6.5 with OWASP DC plugin 1.0.3. My jobs on Jenkins run dependency check (using maven plugin), and the results are collected on Jenkins. But the Sonar sensor is not launched (no log, no error in console out), and thus analysis results are not collected...

Should I configure something on the Sonar side to activate the sensor. Other analysis sensors run as expected : Cobertura, PMD, etc...

Thanks for your help.

Regards.

from dependency-check-sonar-plugin.