Any chance of compatiblity with SonarQube?

RetireJS / retire.js

scanner detecting the use of JavaScript libraries with known vulnerabilities. Can also generate an SBOM of the libraries it finds.

https://retirejs.github.io/retire.js/

Other

3.66k stars 414 forks source link

Any chance of compatiblity with SonarQube? #336

Closed haugsrud closed 4 years ago

haugsrud commented 4 years ago

Retire.js version: (retire --version):

node version: (node --version):

Type: Question

Description: I am using the dependency-check tool for analyzing dependencies and push them into SonarQube, however this takes a huge amount of time and is not suitable for a CI/CD pipeline imo.

Retire.js takes just seconds, but I can't seem to find a good way to incorporate in my CI/CD pipeline. It would have been great if I were able to push the results into SonarQube and mark them as vulernabilites.

Expected behaviour:

haugsrud commented 4 years ago

I just found out there is an experimental format, depcheck, which is exactly what I'm looking for.

eoftedal commented 4 years ago

Ok, cool. If you want to implement a custom format, the reporters are in https://github.com/RetireJS/retire.js/tree/master/node/lib/reporters

The full interface for a logger/report is:

logger = {
  info : function(message) { ... },
  debug : function(x) { if (config.verbose) ... },
  warn : function(x) { ... },
  error : function(x) { ... },

  logDependency : function(finding) { ... },
  logVulnerableDependency: function(finding) { ... },
  close: function() { ...  }
};