search

dependency-check / dependency-check-sonar-plugin

Integrates Dependency-Check reports into SonarQube
599 stars 134 forks source link

Gradle/SQ: Scan HTML is published by not issues / vulnerabilities are created #676

Closed EugenMayer closed 2 years ago

EugenMayer commented 2 years ago

Describe the bug I can see the scan html in my SQ porject, but eventhough there is a vulnerabilty, no quality gate issue, vuln entry or issue is created

Vulnerable Dependencies: 1
Vulnerabilities Found: 1

Current behavior No issues or vulnerabilities are created.

Expected behavior At least on vuln. should be created

Screenshots image while no issues are created image The quality gatewat is configured very strictly image

Versions (please complete the following information):

Additional context

sonarqube {
    properties {
        property "sonar.projectKey", "redacted"
        property "sonar.projectName", "redacted"
        property "sonar.host.url", "https://redacted"
        property("sonar.dependencyCheck.jsonReportPath", "${buildDir}/reports/dependency-check-report.json")
        property("sonar.dependencyCheck.htmlReportPath", "${buildDir}/reports/dependency-check-report.html")
        property("sonar.dependencyCheck.summarize", "true")
    }
}

dependencyCheck {
    formats = ["HTML", "JSON"]

    analyzers {
        assemblyEnabled = false
    }
}

i tried it with and without sonar.dependencyCheck.summarize

EugenMayer commented 2 years ago

sorry, i missunderstood the scan would be for "new ones" only, thus the deps where on the master already before the PR, there have been no new vuln. It all works as expected otherwise