Does not work for multimodule project about dependency-check-sonar-plugin HOT 9 CLOSED

The Dependency-Check report must exist in the workspace that is being scanned. By default, the Dependency-Check Sonar plugin will use 'dependency-check-report.xml' if sonar.dependencyCheck.reportPath is not specified.

You may have to specify sonar.dependencyCheck.reportPath if the report is in a subdirectory or has another name.

from dependency-check-sonar-plugin.

A report is not generated when no dependencies were found. This consequently breaks the sonar plugin, as it always expects the XML file.

from dependency-check-sonar-plugin.

Maybe I've configured it incorrectly.

In our corporate parent pom, I've configured the reporting section something like this

      <reporting>
        <plugins>
          <plugin>
            <groupId>org.owasp</groupId>
            <artifactId>dependency-check-maven</artifactId>
            <reportSets>
              <reportSet>
                <reports>
                  <report>check</report>
                  <report>aggregate</report>
                </reports>
              </reportSet>
            </reportSets>
            <configuration>
              <skipProvidedScope>true</skipProvidedScope>
              <format>ALL</format>
            </configuration>
          </plugin>
        </plugins>
      </reporting>

A typical project has a parent (that inherits from the corporate parent pom) and then a ear and war module. Both ear and war have dependencies, the project pom does not.

After doing a site build, a listing of the dependency check created artifacts look like this

./EAR_MODULE/target/site/dependency-check-report.html
./EAR_MODULE/target/site/dependency-check-report.xml
./EAR_MODULE/target/site/dependency-check-vulnerability.html
./EAR_MODULE/target/dependency-check.ser
./WAR_MODULE/target/site/dependency-check-report.html
./WAR_MODULE/target/site/dependency-check-report.xml
./WAR_MODULE/target/site/dependency-check-vulnerability.html
./WAR_MODULE/target/dependency-check.ser
./target/site/dependency-check-report.html
./target/dependency-check.ser

from dependency-check-sonar-plugin.

I checked in a fix for a defect I discovered that would produce the 'does not exist' message when no report was specified or existed. d7fc427

I've tested it using a Sonar config similar to the following:

sonar.modules=parent,module1,module2
parent.sonar.projectBaseDir=target
parent.sonar.sources=site
module1.sonar.sources=src
module2.sonar.sources=src
parent.sonar.dependencyCheck.reportPath=site/dependency-check-report.xml

In this scenario, the aggregated Dependency-Check report will show up in the 'parent' module. Not sure if there's a better way to do this or not.

Test the code in the master branch and see if that solves the reported issue.

from dependency-check-sonar-plugin.

1. Just to confirm, is it valid to have both "check" and "aggregate" reports in the same config?
2. And if so, then in the top level ./target/site/ directory shouldn't it also have a dependency-check-report.xml file?

Thanks so much for all the work.

from dependency-check-sonar-plugin.

I've never see both check and aggregate in the same config like that. I typically use the check goal in <build><plugins> - usually on a single module or project. For a multi-module project I only use the aggregate goal when running a site report. Refer to https://jeremylong.github.io/DependencyCheck/dependency-check-maven/configuration.html

The aggregate will produce the report in ./target/site.

This is the aggregate config I usually use:

<reporting>
    <plugins>
        <plugin>
            <groupId>org.owasp</groupId>
            <artifactId>dependency-check-maven</artifactId>
            <version>1.2.11</version>
            <reportSets>
                <reportSet>
                    <reports>
                        <report>aggregate</report>
                    </reports>
                </reportSet>
            </reportSets>
            <configuration>
                <format>ALL</format>
            </configuration>
        </plugin>
    </plugins>
</reporting>

from dependency-check-sonar-plugin.

So maybe I'm trying to do something that's not possible (yet). Our setup is that we have one corporate parent pom that configures all plugins, reports, etc. Then ~150 projects inherit from that with 3-25+ modules per project. That way each project typically only has to specify their dependencies.

from dependency-check-sonar-plugin.

What you're attempting to do should be possible and in fact is a very common way to standardize and simplify Maven builds.

From the file listing you provided, it appears that the XML report is not being generated in ./target/site like it should be. This is unusual and I'm unable to reproduce this.

If you're having difficulties producing the report, you may want to head over to https://github.com/jeremylong/DependencyCheck/issues or https://groups.google.com/forum/#!forum/dependency-check and ask around.

When you're at a point where the report is being produced, go ahead and try the sonar plugin again and let me know if you have any issues.

from dependency-check-sonar-plugin.

I've tested the plugin with multiple multi-module projects and the current release appears to work. I'm closing the ticket. If you experience issues again with multi-module projects not working, feel free to reopen the ticket.

from dependency-check-sonar-plugin.