Comments (12)
Did you specify:
sonar.dependencyCheck.reportPath
(case sensitive)
from dependency-check-sonar-plugin.
dependency-check-report.xml no longer needs to be part of the paths defined in sonar.sources. Can you test 1.0.3 and let me know if you're still having trouble.
from dependency-check-sonar-plugin.
I have installed the 1.0.3 version of the plugin. But still facing the same issue. I think the sensor ot getting invoked is the issue.
<sonar.src>.</sonar.src>
<sonar.dependencyCheck.reportPath>${project.build.directory}/dependency-check-report.xml</sonar.dependencyCheck.reportPath>
SOnar logs: Clearly shows the plugin is loaded, but sensor is not invoked. Do i need to decalre anything additional in the pom except the report path.
Note: the report is available in Jekins ${WORKSPACE}\dependency-check-report.xml
from dependency-check-sonar-plugin.
The plugin appears to be downloading, but it's not getting invoked. You should see something like this in your logs:
INFO - Sensor OWASP Dependency-Check
INFO - Process Dependency-Check report
INFO - Process Dependency-Check report (done) | time=977ms
INFO - Sensor OWASP Dependency-Check (done) | time=979ms
Setting sonar.dependencyCheck.reportPath is all that's required. If the plugin cannot find the report, you'll see this in the logs:
WARN - Dependency-Check report does not exist. SKIPPING. Please check property sonar.dependencyCheck.reportPath: path/to/dependency-check-report.xml
But I'm not even seeing that, which leads me to believe that Sonar isn't even running the plugin.
from dependency-check-sonar-plugin.
@stevespringett , I have tried re-installing and with different instances of Sonar. The result is the same.
from dependency-check-sonar-plugin.
Are you using Sonar Runner, Sonar Jenkins plugin, or Sonar Maven plugin to kick off the job?
from dependency-check-sonar-plugin.
Sonar Jenkins plugin
from dependency-check-sonar-plugin.
Using:
Jenkins 1.609.1
Jenkins SonarQube Plugin 2.3 (configured with SonarQube Runner 2.3 or 2.4)
SonarQube 5.2
I cannot reproduce the issue on a new/default SonarQube install using the embedded database. I typically use the following properties in a SonarQube build step in the Jenkins job config:
sonar.projectKey=my-project-key
sonar.projectName=my-project-name
sonar.projectVersion=1.0.0-SNAPSHOT
sonar.sources=${WORKSPACE}/src
sonar.dependencyCheck.reportPath=target/dependency-check-report.xml
Have you tried the examples?
from dependency-check-sonar-plugin.
I will give it a try soon and then keep you posted.
from dependency-check-sonar-plugin.
Closing. If you're still having issues, feel free to reopen or create a new ticket
from dependency-check-sonar-plugin.
sorry for the delay. it worked fine
from dependency-check-sonar-plugin.
Hello.
I'm using Sonar 5.6.5 with OWASP DC plugin 1.0.3. My jobs on Jenkins run dependency check (using maven plugin), and the results are collected on Jenkins. But the Sonar sensor is not launched (no log, no error in console out), and thus analysis results are not collected...
Should I configure something on the Sonar side to activate the sensor. Other analysis sensors run as expected : Cobertura, PMD, etc...
Thanks for your help.
Regards.
from dependency-check-sonar-plugin.
Related Issues (20)
- Update dependency-check-maven 9.0.X breaks Sonarqube Vulnerabilities report / JSON-Analysis aborted HOT 9
- NVD Api key config missing HOT 1
- SonarQube (Enterprise EditionVersion 10.3 --build 82913) Content Security Policy blocking the plugin resource HOT 7
- Html report break sonar UI
- Issue with Documentation for 10.2+ HOT 1
- Add "DownloadOnlyWhenRequired" to packaging HOT 2
- Update 5.0.0 Release Notes to Clarify SonarQube Version Compatibility HOT 2
- Pnpm vulnerabilities are not shown in sonarqube HOT 5
- [SonarQube] : Quality gates missing settings HOT 3
- Sonar dependency check multi project setup HOT 2
- Issues and hotspots doesn't include dependency-check vulnerabilities HOT 10
- Release 5.0 not compatible with SonarQube 9.9 LTA HOT 1
- Dependency-Check JSON report does not exists. JSON-Analysis skipped/aborted due to missing report file HOT 3
- Integration with SonarCloud HOT 3
- Not Flagging Hotspots Since Friday. HOT 5
- Dynamic parts of dependency report when opened from SonarQube not working HOT 4
- high_severity_vulns\u0027 does not exist HOT 3
- Report content is not deplyed within SonarQube HOT 1
- Critical CVEs only get C rating instead of E HOT 1
- SecurityHotspots don't work with the dotnet multi csproj example
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependency-check-sonar-plugin.