Widget not showing Report Zap in Sonarqube

[FcoSanchezDelRosario]

Hello Steve,

First of all I want to thank you for writing and sharing this plugin to view the scan Zap information in Sonar .I am new using these all technology and have some doubt the function. I´ve been working with this plugin to get reports and I have a doubt, if you don´t mind to regarding my question please because I am a little bit lost, I will appreciated .

I am working with the plugin called zap-maven-plugin, where I executed a scan spider zap. The project generated some reports in the folder of the project (C:\workspace\zap-maven-plugin-master\zap-maven-plugin-parent\target\zap-reports): • zapReport.html • zapReport.xml • zapSpiderResults.html • zapSpiderResults.xml

I download the plugin “Zap-sonar-plugin” to compiled and installed on SonarQube 5.6.3 TLS. First of all, I did some configuration in the pom.xml the get the report , like I had read in some post.

--

${project.build.directory}/target/zap-reports 5.1 org.sonar.zaproxy.ZapPlugin ZAP UTF-8 http://localhost:9000/ src/main/java ${sonar.zaproxy.report.dir}zapReport.xml --  But when I installed the plugin Sonar doesn´t get any report and give me the result of “No data”.  What I like to do, is a Scan ZAP automated to identify OWASP Vulnerabilities, and get integration reporting. ¿I have to change more parameters in the projects?, ¿is it better to use another plugin to do the Scan ZAP to the The 10 most important safety indicators according to OWASP? Sorry for the inconvenience and thank you very much for your time. Regard Francisco Sánchez

[stevespringett]

I personally have never used the Sonar Maven plugin or used the Zap Maven plugin, so I cannot provide advice for those. But the reportPath looks correct, so it should be working. I've just tested it again and verified it's working as expected. I tested with SonarQube 5.6 and SonarRunner 2.4.

You should see something like this in the output (Not sure if the Maven plugin does the same thing or not):

SonarQube Runner 2.4
Java 1.8.0_111 Oracle Corporation (64-bit)
Mac OS X 10.12.2 x86_64
SONAR_RUNNER_OPTS=-Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8000
INFO: Error stacktraces are turned on.
INFO: Runner configuration file: /Users/steve/.jenkins/tools/hudson.plugins.sonar.SonarRunnerInstallation/Sonar_Runner/conf/sonar-runner.properties
INFO: Project configuration file: NONE
INFO: Default locale: "en_US", source code encoding: "UTF-8" (analysis is platform dependent)
INFO: Work directory: /Users/steve/.jenkins/jobs/ZAP SonarQube Test/workspace/.sonar
INFO: SonarQube Server 5.6
17:51:18.863 INFO  - Load global repositories
17:51:19.025 INFO  - Load global repositories (done) | time=164ms
17:51:19.054 INFO  - User cache: /Users/steve/.sonar/cache
17:51:19.318 INFO  - Load plugins index
17:51:19.322 INFO  - Load plugins index (done) | time=4ms
17:51:19.337 INFO  - Download sonar-zap-plugin-1.0.0-SNAPSHOT.jar
17:51:19.807 INFO  - Process project properties
17:51:19.915 INFO  - Load project repositories
17:51:20.065 INFO  - Load project repositories (done) | time=150ms
17:51:20.140 INFO  - Load quality profiles
17:51:20.204 INFO  - Load quality profiles (done) | time=64ms
17:51:20.208 INFO  - Load active rules
17:51:20.672 INFO  - Load active rules (done) | time=464ms
17:51:20.719 WARN  - SCM provider autodetection failed. No SCM provider claims to support this project. Please use sonar.scm.provider to define SCM of your project.
17:51:20.719 INFO  - Publish mode
17:51:20.721 INFO  - -------------  Scan ZAP SonarQube Test
17:51:20.829 INFO  - Load server rules
17:51:20.934 INFO  - Load server rules (done) | time=105ms
17:51:20.991 INFO  - Base dir: /Users/steve/.jenkins/jobs/ZAP SonarQube Test/workspace
17:51:20.991 INFO  - Working dir: /Users/steve/.jenkins/jobs/ZAP SonarQube Test/workspace/.sonar
17:51:20.993 INFO  - Source paths: src
17:51:20.993 INFO  - Source encoding: UTF-8, default locale: en_US
17:51:20.993 INFO  - Index files
17:51:21.000 INFO  - 0 files indexed
17:51:21.447 INFO  - JaCoCoSensor: JaCoCo report not found : /Users/steve/.jenkins/jobs/ZAP SonarQube Test/workspace/target/jacoco.exec
17:51:21.448 INFO  - JaCoCoItSensor: JaCoCo IT report not found: /Users/steve/.jenkins/jobs/ZAP SonarQube Test/workspace/target/jacoco-it.exec
17:51:21.475 INFO  - Sensor Lines Sensor
17:51:21.475 INFO  - Sensor Lines Sensor (done) | time=0ms
17:51:21.475 INFO  - Sensor OWASP Zed Attack Proxy
17:51:21.475 INFO  - Process ZAP report
17:51:22.471 INFO  - Process ZAP report (done) | time=996ms
17:51:22.484 INFO  - Sensor OWASP Zed Attack Proxy (done) | time=1009ms
17:51:22.484 INFO  - Sensor SCM Sensor
17:51:22.484 INFO  - No SCM system was detected. You can use the 'sonar.scm.provider' property to explicitly specify it.
17:51:22.484 INFO  - Sensor SCM Sensor (done) | time=0ms
17:51:22.484 INFO  - Sensor Zero Coverage Sensor
17:51:22.484 INFO  - Sensor Zero Coverage Sensor (done) | time=0ms
17:51:22.484 INFO  - Sensor Code Colorizer Sensor
17:51:22.484 INFO  - Sensor Code Colorizer Sensor (done) | time=0ms
17:51:22.484 INFO  - Sensor CPD Block Indexer
17:51:22.484 INFO  - Sensor CPD Block Indexer (done) | time=0ms
17:51:22.485 INFO  - Calculating CPD for 0 files
17:51:22.485 INFO  - CPD calculation finished
17:51:22.543 INFO  - Analysis report generated in 57ms, dir size=99 KB
17:51:22.561 INFO  - Analysis reports compressed in 18ms, zip size=7 KB
17:51:22.610 INFO  - Analysis report uploaded in 49ms
17:51:22.610 INFO  - ANALYSIS SUCCESSFUL, you can browse http://localhost:9000/dashboard/index/org.sonar.plugins:zap-sonar-plugin
17:51:22.610 INFO  - Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
17:51:22.610 INFO  - More about the report processing at http://localhost:9000/api/ce/task?id=AVmFpLrcSsgw1eY-iihN

[FcoSanchezDelRosario]

Hello @stevespringett. I check the log and I was able to correct the errors. T hank for the help. I appreciate.

Regard

[diegochavezcarro]

Hi! I would like to know if this plugin is working with newer versions of Sonar. There are not widgets anymore, so I thought there were some kind of "More" menu, such as in OWASP Dependency Check.

[stevespringett]

@diegochavezcarro yes, widgets were removed with SQ 6.0 and replaced with non-customizable measures displayed in the UI. But they did introduce the concept of a 'page' which we also support.

[diegochavezcarro]

@stevespringett Do you mean we have to create a page (https://docs.sonarqube.org/display/DEV/Creating+a+Page) or do you have one example in this project?

[dantemorius]

I'm facing a similar problem, but no matter where i put the report, the Sensor ZAP from Sonarqube don't find the report file. I tried to bind to a lot of paths but it simply don't work. If i execute a "ls -lah" during the pipeline execution, the file is there.

I have a stack of Tools like Jenkins (Master/Slaves) and SonarQube running on Docker separate container and made Dependency-Check work, but with sonar-zap-plugin i had no success. Somebody could help me?

[OtherDevOpsGene]

Fixed in release 2.1.0.