Plugin Not Appearing in SonarQube 5.1.1 about dependency-check-sonar-plugin HOT 9 CLOSED

Refer to #3. This ticket has many details that you'll need.

from dependency-check-sonar-plugin.

Thanks. I've read through ticket #3 and am slightly confused. If I set-up Sonar sources to point at dependency-check-report.xml then the metrics from that file will be added into my project metrics (LOC, etc) and checked against our standard XML rules which will fail??

Is that what you meant? Cobertura does a similar thing but is happy with the file being in a target directory?

from dependency-check-sonar-plugin.

I'll check out the Cobertura plugin to see what they're doing that doesn't require dependency-check-report.xml to be included in sonar sources. As of today, your correct. The contents of the report will be added to your projects metrics.

from dependency-check-sonar-plugin.

Cobertura reports against actual source files. These source files are already indexed by Sonar so therefore, it is possible for Cobertura to have a report outside of the source path.

SonarQube has the false assumption that all code quality issues will have corresponding source files. This is true for the overwheling majority of cases, but there are many corner cases that this assumption is false - component analysis being one of those cases.

SonarQube requires a Resource (a file that it indexed such as a source file) in order to create an Issue. This requirement is the reason why dependency-check-report.xml is used as a source file. The Dependency-Check report will contain filepaths to components that will typically not reside in the project workspace. For example, the default for Maven is ~/.m2. So although the POM resides in the workspace, the resolution to the files on the filesystem does not. Therefore, a source file must be used in its place. You'll notice that for all Dependency-Check issues in SonarQube, that when you click into the issue, it takes you to the XML report. This is the 'source file' that the plugin uses because it's required to have a source file to create the issue in the first place.

If you'd like to have the ability to parse the report outside of the source path, then you may want to add an enhancement request over at SonarSource. I'd love to have able to create issues without having a corresponding source file present.

from dependency-check-sonar-plugin.

You are correct in saying an issue has to be created on a resource. As it is not really obvious, I like to point out that a Project is also a Resource. So passing a Project instead of an InputFile into addIssues(...) and casting it to Resource in the assignment to Issueable leads to the issues being attached to the corresponding (sub-)project. That way we (@amandel and I) were able to configure just the report path (and not setting sonar.sources) on the parent POM resulting in the dependency check results being picked up along the way also in submodules. I could provide a PR with the changes if you are interested.

It might also be a good idea to attach the issues to the file (and possibly also the line) defining a dependency if that file is available as resource. But I think that would require the analysis process to provide additional information.

from dependency-check-sonar-plugin.

Hi,

I would really like to use this plugin but I have some comments/suggested features that would allow us to use it:

1. Allow it to be turned on/off through the Sonar GUI
2. Allow it to be turned on/off through the Sonar GUi per project.
3. It wouldn't read an aggregated report from the MAVEN OWASP plugin which is what we generate.
4. We can't really have the output XML file be included in the project metrics.

Just some thoughts.

Matt

from dependency-check-sonar-plugin.

@matt-shaw Please create individual github issues for each enhancement request or defect.

@oliverbrandt Thanks for the pointer to use the Project object. Never occurred to me to do that.

Added examples and updated the plugin. Please use what is currently checked into the master branch rather than the 1.0.0 release.

from dependency-check-sonar-plugin.

I've added those issues. I hope that helps.

from dependency-check-sonar-plugin.

1.0.1 released which should resolve the reported issue.

from dependency-check-sonar-plugin.