Issue severity is critical instead of major about dependency-check-sonar-plugin HOT 3 CLOSED

SonarQube doesn't have traditional security-specific security ratings, so the rating is hard coded to match the severity output from Dependency-Check which follows the recommendations from NIST.

CVSS Score >= 7.0 = Critical (High)
CVSS Score 4.0-6.9 = Major (Medium)
CVSS Score < 4.0 = Minor (Low)

What I did not want to do is have configurable severities in SonarQube, when the output from Dependency-Check and the Jenkins dashboard would display an entirely different rating.

Ideally, the severities could be broken down into Critical, High, Medium, and Low, however, Sonar doesn't allow this as the Severity class has hard coded items and cannot be extended.

from dependency-check-sonar-plugin.

Thanks for the clarification. This makes a lot of sense and I will have to think about how to set it up taking this into consideration.

Just to give you an idea of what I was trying to achieve:

I am introducing the dependency-check-maven-plugin into our CI builds that also run a sonar check. We are using the Build Breaker Plugin for SonarQube. The Quality Gate is setup to trigger when there are critical issues. Since I was just trying to get an idea of what the state of our applications is I didn't want the Quality Gate to fail the builds. Just collect data and present it. Then I can update the problematic dependencies and following that let the builds fail for vulnerable dependencies.

What might be a possibility is to stop using the Build Breaker and just use SonarQube's notification system which as I understand is the preferred way anyway. I will have to talk this through with my colleagues though.

You can close the issue if you want. I will re-open if I have further questions.

Thanks!

from dependency-check-sonar-plugin.

Just as an idea, could you split it up in 3 different rules with different default severities? One for each CVSS range?

from dependency-check-sonar-plugin.