The "aggregate" dependency-check.xml report is not parsed correctly by sonar plugin about dependency-check-sonar-plugin HOT 8 CLOSED

What does your configuration look like? Have you specified a single dependency-check.xml for the entire project or have you specified individual reports for each module in sonar?

from dependency-check-sonar-plugin.

@stevespringett, I have multi-modules maven project and I generated dependency-check.xml via "aggregate" goal from "owasp-dependency-check" maven plugin. So I have single dependency-check.xml report for the entire project as result.Then I passed this report to sonar via sonar.dependencyCheck.reportPath=target/dependency-check-report.xml property. Eventually, I got some result in sonar. But owasp widget shows incorrect number of dependencies and number of vulnerabilities issues is incorrect too. It seems that plugin does not distribute the vulnerabilities per modules correctly.

from dependency-check-sonar-plugin.

For a multi-module project, you'll need to specify the dependency-check-report.xml for each module, as the aggregate report does not include which module a vulnerability was found in.

Follow the examples in https://github.com/stevespringett/dependency-check-sonar-plugin/tree/master/examples/multi-module-maven-runner for how to use in a multi-module project. If you continue to have issues with counts being incorrect, reopen this ticket or create a new one.

from dependency-check-sonar-plugin.

@stevespringett, Thak you for reply. Right, I use it like you suggest. But as for me, it is pretty uncomfortable to use it in this way with sonar, because the project is opened on root module (pom) page by default in sonar dashboard and I cannot see aggregate information for all modules via widget on root page like a common best practice.

from dependency-check-sonar-plugin.

So if I understand correctly. You do not have a way to aggregate your raw dependency-check results that you would normally get from the gradle or maven plugin. You want the sonar plugin to aggregate the results for you?

Let me look into this to see if it's possible without breaking conventional dependency-check use cases.

from dependency-check-sonar-plugin.

@stevespringett, right. Actually, I don't know the nuances of implementation, but I would propose the next approaches:

1. Sonar plugin aggregates the multiple reports from each module, as you mention above.
2. Add information about vulnerabilities per modules to single aggregated report and force sonar plugin to "understand" this report (due to "the aggregate report does not include which module a vulnerability was found in.")

from dependency-check-sonar-plugin.

@stevespringett / @Prix1: I use dependency-check-maven:aggregate sonar:sonar and this in maven's settings.xml:

<sonar.dependencyCheck.reportPath>${project.build.directory}/dependency-check-report.xml</sonar.dependencyCheck.reportPath>

Essentially the plugin only picks the report up on the reactor build. On the internal module builds it doesn't report anything. This is not perfect, but it does mean the aggregate values are correct and the check is much faster (because you use the aggregate goal).

from dependency-check-sonar-plugin.

Closing this issue, because it's quite old. With Version 1.2.2 and above only dependency-check:aggregate is supported.

from dependency-check-sonar-plugin.