Comments (10)
Hi Team, any update?
Thanks
Ivan Geng
from dependency-check-sonar-plugin.
What version of SonarQube? Issues are generated against the project, not a particular source file. Are there any changes to the project in SQ prior to this issue occurring?
from dependency-check-sonar-plugin.
The sonar version is Version 5.6.1.
Issues were not reported on the source files. The issues were reported on JARs. As some of the JARs are already latest or the latest version has known issues, so we marked them as 'Won't Fix'.
A few days later some files were reported again(no change on the jar dependency), but not all of the issues happens again.
Any suggestion? Thanks.
from dependency-check-sonar-plugin.
Hi @stevespringett , any suggestion? Thanks.
from dependency-check-sonar-plugin.
Have you compared the paths of the jars from each of the runs? Are the paths exactly the same? If not, then they would be considered separate issues. I've looked through the plugin code and don't see anything that would cause this issue randomly. You may want to diff the DC XML files.
from dependency-check-sonar-plugin.
Also, can you provide me the exact version of a few jars that you've seen this with?
from dependency-check-sonar-plugin.
@stevespringett , you are right. Actually, the alerts were reported on different type files: in war and individual jar. But the incorrect alert behavior is not consistent, not figure out when it was reported again.
I think the reason should be alerts status had been moved to FIXED, so sonar treat them as new issues.
Please find one sample jar: jackson-mapper-asl-1.9.13.jar.
By the way, any more detail about this?
You may want to diff the DC XML files.
from dependency-check-sonar-plugin.
This still appears to be an issue with version 1.1.2 of this plugin, and version 6.7.6 of SonarQube.
It seems that the "key" of the issue changes with each run, causing the issues to be marked as "isNew" in the JSON report, which in turn ends up falsely marking some builds as introducing "new" issues that have been around for months.
from dependency-check-sonar-plugin.
Hi,
please checkout new version of this plugin.
1.1.4 for Sonarqube 6.7.5 and above
1.2.3 for Sonarqube 7.6 and above
from dependency-check-sonar-plugin.
Should be fixed with actual version of this plugin. This plugin looks for a pom.xml or gradle.build in your project to link issue against this files.
from dependency-check-sonar-plugin.
Related Issues (20)
- Integrate OWASP plugin with SonarQube from Azure Pipeline
- 9.0.2 of dependency-check plugin throws JSON parsing error with field "CvssV2.confidentialityImpact" HOT 4
- Update dependency-check-maven 9.0.X breaks Sonarqube Vulnerabilities report / JSON-Analysis aborted HOT 9
- NVD Api key config missing HOT 1
- SonarQube (Enterprise EditionVersion 10.3 --build 82913) Content Security Policy blocking the plugin resource HOT 7
- Html report break sonar UI
- Issue with Documentation for 10.2+ HOT 1
- Add "DownloadOnlyWhenRequired" to packaging HOT 2
- Update 5.0.0 Release Notes to Clarify SonarQube Version Compatibility HOT 2
- Pnpm vulnerabilities are not shown in sonarqube HOT 5
- [SonarQube] : Quality gates missing settings HOT 3
- Sonar dependency check multi project setup HOT 2
- Issues and hotspots doesn't include dependency-check vulnerabilities HOT 10
- Release 5.0 not compatible with SonarQube 9.9 LTA HOT 1
- Dependency-Check JSON report does not exists. JSON-Analysis skipped/aborted due to missing report file HOT 3
- Integration with SonarCloud HOT 2
- Not Flagging Hotspots Since Friday. HOT 5
- Dynamic parts of dependency report when opened from SonarQube not working HOT 1
- high_severity_vulns\u0027 does not exist HOT 3
- Report content is not deplyed within SonarQube
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependency-check-sonar-plugin.