Comments (9)
Refer to #3. This ticket has many details that you'll need.
from dependency-check-sonar-plugin.
Thanks. I've read through ticket #3 and am slightly confused. If I set-up Sonar sources to point at dependency-check-report.xml then the metrics from that file will be added into my project metrics (LOC, etc) and checked against our standard XML rules which will fail??
Is that what you meant? Cobertura does a similar thing but is happy with the file being in a target directory?
from dependency-check-sonar-plugin.
I'll check out the Cobertura plugin to see what they're doing that doesn't require dependency-check-report.xml to be included in sonar sources. As of today, your correct. The contents of the report will be added to your projects metrics.
from dependency-check-sonar-plugin.
Cobertura reports against actual source files. These source files are already indexed by Sonar so therefore, it is possible for Cobertura to have a report outside of the source path.
SonarQube has the false assumption that all code quality issues will have corresponding source files. This is true for the overwheling majority of cases, but there are many corner cases that this assumption is false - component analysis being one of those cases.
SonarQube requires a Resource (a file that it indexed such as a source file) in order to create an Issue. This requirement is the reason why dependency-check-report.xml is used as a source file. The Dependency-Check report will contain filepaths to components that will typically not reside in the project workspace. For example, the default for Maven is ~/.m2. So although the POM resides in the workspace, the resolution to the files on the filesystem does not. Therefore, a source file must be used in its place. You'll notice that for all Dependency-Check issues in SonarQube, that when you click into the issue, it takes you to the XML report. This is the 'source file' that the plugin uses because it's required to have a source file to create the issue in the first place.
If you'd like to have the ability to parse the report outside of the source path, then you may want to add an enhancement request over at SonarSource. I'd love to have able to create issues without having a corresponding source file present.
from dependency-check-sonar-plugin.
You are correct in saying an issue has to be created on a resource. As it is not really obvious, I like to point out that a Project is also a Resource. So passing a Project instead of an InputFile into addIssues(...) and casting it to Resource in the assignment to Issueable leads to the issues being attached to the corresponding (sub-)project. That way we (@amandel and I) were able to configure just the report path (and not setting sonar.sources) on the parent POM resulting in the dependency check results being picked up along the way also in submodules. I could provide a PR with the changes if you are interested.
It might also be a good idea to attach the issues to the file (and possibly also the line) defining a dependency if that file is available as resource. But I think that would require the analysis process to provide additional information.
from dependency-check-sonar-plugin.
Hi,
I would really like to use this plugin but I have some comments/suggested features that would allow us to use it:
- Allow it to be turned on/off through the Sonar GUI
- Allow it to be turned on/off through the Sonar GUi per project.
- It wouldn't read an aggregated report from the MAVEN OWASP plugin which is what we generate.
- We can't really have the output XML file be included in the project metrics.
Just some thoughts.
Matt
from dependency-check-sonar-plugin.
@matt-shaw Please create individual github issues for each enhancement request or defect.
@oliverbrandt Thanks for the pointer to use the Project object. Never occurred to me to do that.
Added examples and updated the plugin. Please use what is currently checked into the master branch rather than the 1.0.0 release.
from dependency-check-sonar-plugin.
I've added those issues. I hope that helps.
from dependency-check-sonar-plugin.
1.0.1 released which should resolve the reported issue.
from dependency-check-sonar-plugin.
Related Issues (20)
- assets section of each release doesnt include .sha256 file HOT 1
- Integrate OWASP plugin with SonarQube from Azure Pipeline
- 9.0.2 of dependency-check plugin throws JSON parsing error with field "CvssV2.confidentialityImpact" HOT 4
- Update dependency-check-maven 9.0.X breaks Sonarqube Vulnerabilities report / JSON-Analysis aborted HOT 9
- NVD Api key config missing HOT 1
- SonarQube (Enterprise EditionVersion 10.3 --build 82913) Content Security Policy blocking the plugin resource HOT 7
- Html report break sonar UI
- Issue with Documentation for 10.2+ HOT 1
- Add "DownloadOnlyWhenRequired" to packaging HOT 2
- Update 5.0.0 Release Notes to Clarify SonarQube Version Compatibility HOT 2
- Pnpm vulnerabilities are not shown in sonarqube HOT 5
- [SonarQube] : Quality gates missing settings HOT 3
- Sonar dependency check multi project setup HOT 2
- Issues and hotspots doesn't include dependency-check vulnerabilities HOT 10
- Release 5.0 not compatible with SonarQube 9.9 LTA HOT 1
- Dependency-Check JSON report does not exists. JSON-Analysis skipped/aborted due to missing report file HOT 3
- Integration with SonarCloud HOT 2
- Not Flagging Hotspots Since Friday. HOT 5
- Dynamic parts of dependency report when opened from SonarQube not working HOT 1
- high_severity_vulns\u0027 does not exist HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependency-check-sonar-plugin.