Comments (8)
What does your configuration look like? Have you specified a single dependency-check.xml for the entire project or have you specified individual reports for each module in sonar?
from dependency-check-sonar-plugin.
@stevespringett, I have multi-modules maven project and I generated dependency-check.xml via "aggregate" goal from "owasp-dependency-check" maven plugin. So I have single dependency-check.xml report for the entire project as result.Then I passed this report to sonar via sonar.dependencyCheck.reportPath=target/dependency-check-report.xml property. Eventually, I got some result in sonar. But owasp widget shows incorrect number of dependencies and number of vulnerabilities issues is incorrect too. It seems that plugin does not distribute the vulnerabilities per modules correctly.
from dependency-check-sonar-plugin.
For a multi-module project, you'll need to specify the dependency-check-report.xml for each module, as the aggregate report does not include which module a vulnerability was found in.
Follow the examples in https://github.com/stevespringett/dependency-check-sonar-plugin/tree/master/examples/multi-module-maven-runner for how to use in a multi-module project. If you continue to have issues with counts being incorrect, reopen this ticket or create a new one.
from dependency-check-sonar-plugin.
@stevespringett, Thak you for reply. Right, I use it like you suggest. But as for me, it is pretty uncomfortable to use it in this way with sonar, because the project is opened on root module (pom) page by default in sonar dashboard and I cannot see aggregate information for all modules via widget on root page like a common best practice.
from dependency-check-sonar-plugin.
So if I understand correctly. You do not have a way to aggregate your raw dependency-check results that you would normally get from the gradle or maven plugin. You want the sonar plugin to aggregate the results for you?
Let me look into this to see if it's possible without breaking conventional dependency-check use cases.
from dependency-check-sonar-plugin.
@stevespringett, right. Actually, I don't know the nuances of implementation, but I would propose the next approaches:
- Sonar plugin aggregates the multiple reports from each module, as you mention above.
- Add information about vulnerabilities per modules to single aggregated report and force sonar plugin to "understand" this report (due to "the aggregate report does not include which module a vulnerability was found in.")
from dependency-check-sonar-plugin.
@stevespringett / @Prix1: I use dependency-check-maven:aggregate sonar:sonar
and this in maven's settings.xml:
<sonar.dependencyCheck.reportPath>${project.build.directory}/dependency-check-report.xml</sonar.dependencyCheck.reportPath>
Essentially the plugin only picks the report up on the reactor build. On the internal module builds it doesn't report anything. This is not perfect, but it does mean the aggregate values are correct and the check is much faster (because you use the aggregate
goal).
from dependency-check-sonar-plugin.
Closing this issue, because it's quite old. With Version 1.2.2 and above only dependency-check:aggregate is supported.
from dependency-check-sonar-plugin.
Related Issues (20)
- assets section of each release doesnt include .sha256 file HOT 1
- Integrate OWASP plugin with SonarQube from Azure Pipeline
- 9.0.2 of dependency-check plugin throws JSON parsing error with field "CvssV2.confidentialityImpact" HOT 4
- Update dependency-check-maven 9.0.X breaks Sonarqube Vulnerabilities report / JSON-Analysis aborted HOT 9
- NVD Api key config missing HOT 1
- SonarQube (Enterprise EditionVersion 10.3 --build 82913) Content Security Policy blocking the plugin resource HOT 7
- Html report break sonar UI
- Issue with Documentation for 10.2+ HOT 1
- Add "DownloadOnlyWhenRequired" to packaging HOT 2
- Update 5.0.0 Release Notes to Clarify SonarQube Version Compatibility HOT 2
- Pnpm vulnerabilities are not shown in sonarqube HOT 5
- [SonarQube] : Quality gates missing settings HOT 3
- Sonar dependency check multi project setup HOT 2
- Issues and hotspots doesn't include dependency-check vulnerabilities HOT 10
- Release 5.0 not compatible with SonarQube 9.9 LTA HOT 1
- Dependency-Check JSON report does not exists. JSON-Analysis skipped/aborted due to missing report file HOT 3
- Integration with SonarCloud HOT 2
- Not Flagging Hotspots Since Friday. HOT 5
- Dynamic parts of dependency report when opened from SonarQube not working HOT 1
- high_severity_vulns\u0027 does not exist HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependency-check-sonar-plugin.