Comments (3)
SonarQube doesn't have traditional security-specific security ratings, so the rating is hard coded to match the severity output from Dependency-Check which follows the recommendations from NIST.
CVSS Score >= 7.0 = Critical (High)
CVSS Score 4.0-6.9 = Major (Medium)
CVSS Score < 4.0 = Minor (Low)
What I did not want to do is have configurable severities in SonarQube, when the output from Dependency-Check and the Jenkins dashboard would display an entirely different rating.
Ideally, the severities could be broken down into Critical, High, Medium, and Low, however, Sonar doesn't allow this as the Severity class has hard coded items and cannot be extended.
from dependency-check-sonar-plugin.
Thanks for the clarification. This makes a lot of sense and I will have to think about how to set it up taking this into consideration.
Just to give you an idea of what I was trying to achieve:
I am introducing the dependency-check-maven-plugin into our CI builds that also run a sonar check. We are using the Build Breaker Plugin for SonarQube. The Quality Gate is setup to trigger when there are critical issues. Since I was just trying to get an idea of what the state of our applications is I didn't want the Quality Gate to fail the builds. Just collect data and present it. Then I can update the problematic dependencies and following that let the builds fail for vulnerable dependencies.
What might be a possibility is to stop using the Build Breaker and just use SonarQube's notification system which as I understand is the preferred way anyway. I will have to talk this through with my colleagues though.
You can close the issue if you want. I will re-open if I have further questions.
Thanks!
from dependency-check-sonar-plugin.
Just as an idea, could you split it up in 3 different rules with different default severities? One for each CVSS range?
from dependency-check-sonar-plugin.
Related Issues (20)
- Support for Sonar 10.2 Software Quality Severities HOT 7
- [Quality Gates] : Owasp Dependency check HOT 1
- assets section of each release doesnt include .sha256 file HOT 1
- Integrate OWASP plugin with SonarQube from Azure Pipeline
- 9.0.2 of dependency-check plugin throws JSON parsing error with field "CvssV2.confidentialityImpact" HOT 4
- Update dependency-check-maven 9.0.X breaks Sonarqube Vulnerabilities report / JSON-Analysis aborted HOT 9
- NVD Api key config missing HOT 1
- SonarQube (Enterprise EditionVersion 10.3 --build 82913) Content Security Policy blocking the plugin resource HOT 7
- Html report break sonar UI
- Issue with Documentation for 10.2+ HOT 1
- Add "DownloadOnlyWhenRequired" to packaging HOT 2
- Update 5.0.0 Release Notes to Clarify SonarQube Version Compatibility HOT 2
- Pnpm vulnerabilities are not shown in sonarqube HOT 5
- [SonarQube] : Quality gates missing settings HOT 3
- Sonar dependency check multi project setup HOT 2
- Issues and hotspots doesn't include dependency-check vulnerabilities HOT 10
- Release 5.0 not compatible with SonarQube 9.9 LTA HOT 1
- Dependency-Check JSON report does not exists. JSON-Analysis skipped/aborted due to missing report file HOT 3
- Integration with SonarCloud HOT 2
- Not Flagging Hotspots Since Friday. HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependency-check-sonar-plugin.