Sonarqube + dependency-check plugin for dotnet

[RunFox]

Hello, I am use Sonarqube EE 8.4.2 with Dependency-Check plugin v 2.0.6 SonarQube parse json-report. But in logs for dotnet-project i see such info warning: “INFO: No project configuration file, e.g. pom.xml, .gradle,.gradle.kts,package-lock.json found, therefore it isn’t possible to correctly link dependencies in file”. And then: “INFO: Linking 41 dependencies” Can you tell me, please, what does it mean for dotnet-project and does it affect to work with vulnerable dependencies in sonar? As i see, sonar linking dependencies and create vulnerability in project page.

[Reamer]

In general, we need to analyze the dotnet project file so that we can link new SonarQube issues against parts of this file. I am not a dotnet developer, maybe you can help here.

[RunFox]

Hello, @Reamer, thank you for answer. In project we have .csproj file and sonar links all issue with parts of code. I do not see any problem with work of SQ, only this warning.

[Reamer]

This plugin converts all vulnerabilities found by dependency-check into SonarQube issues and tries to link these issues to a project file (e.g. pom.xml, package-lock.json ...). So this project file must be part of sonar.sources.

To find the correct line in this project file, the plugin analyzes this file.

If no project file is found as in your case this plugin links the issues against the SonarQube project. This has several disadvantages when working with the issues.

• Solving problems within the UI does not work permanently

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.