search

dependency-check / dependency-check-sonar-plugin

Integrates Dependency-Check reports into SonarQube
585 stars 133 forks source link

Support for Sonar 10.2 Software Quality Severities #870

Closed Blir closed 6 months ago

Blir commented 10 months ago

Describe the bug Beginning in Sonar 10.2, the severity values of Blocker, Critical, Major, Minor, and Info are deprecated. See here. I am opening this as a bug because this plugin claims to support Sonar 10.X per the README.md. However, the configuration of this plugin only references the deprecated severity levels. Does this plugin actually support the new Sonar 10.2 severity levels?

Additionally, I am seeing that when upgrading my Sonar version, my old issues from this plugin that were Blocker severity have migrated to Medium severity. According to the page I linked above, they should have been migrated to High severity. Is this plugin interfering with this migration process?

To Reproduce

  1. In a Sonar server instance running version 10.2 with the Dependency-Check plugin version 4.0.0 installed, navigate to Administration > Configuration > Dependency-Check, and scroll down to the Severities section. Notice the available severities are Blocker, Critical, Major, and Minor.
  2. Refer to the Sonar 10.2 documentation here. Notice the deprecated severity levels.
  3. The new severity levels are documented here under the Software qualities section at the bottom of the page.

Current behavior This plugin only references deprecated severity levels.

Expected behavior Since this plugin claims to support SonarQube 10.X, it should at a minimum document its behavior when used with SonarQube 10.2 which deprecates the severities referenced by this plugin's documentation. Ideally, the configuration should reflect the new severities.

Screenshots I expect no screenshots are necessary, let me know if you'd like me to add any.

Versions (please complete the following information):

Additional context None.

readonlyuser1 commented 9 months ago

Current behavior This plugin only references deprecated severity levels.

Versions (please complete the following information): sonarqube 10.3.0.82913 dependency-check-sonar-plugin 4.0.0

thomassui commented 9 months ago

I would like to underline this report. I have discovered the same issue. The mapping of Blocker, Critical and Major issue severity findings are mapped on the newly introduced software qualities impact severity "Medium" in Sonar 10. As requested by Blir it would help a lot to have a configuration in place which reflects the new software qualities impact severity (High, Medium, Low).

readonlyuser1 commented 8 months ago

I took the latest changes from the Master Branch (sonar-dependency-check-plugin-5.0.0-SNAPSHOT.jar) and this is what I get after rebooting sonarqube

2024.01.01 00:11:11 WARN  web[][o.s.c.a.AnnotationConfigApplicationContext] Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: 
Error creating bean with name 'jdk.internal.loader.ClassLoaders$AppClassLoader@5ffd2b27-org.sonar.server.qualityprofile.RegisterQualityProfiles': 
Initialization of bean failed; nested exception is BadRequestException{errors=
[Rule was removed: OWASP:UsingComponentWithKnownVulnerabilitySecurityHotspot]}

2024.01.01 00:11:11 ERROR web[][o.s.s.p.Platform] Background initialization failed. 
Stopping SonarQube org.springframework.beans.factory.BeanCreationException: 
Error creating bean with name 'jdk.internal.loader.ClassLoaders$AppClassLoader@5ffd2b27-org.sonar.server.qualityprofile.RegisterQualityProfiles': Initialization of bean failed; 
nested exception is BadRequestException{errors=[Rule was removed: OWASP:UsingComponentWithKnownVulnerabilitySecurityHotspot]}
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:628)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:542)
        at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:335)
        at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234)
        at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:333)
        at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:208)
        at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:955)
        at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:920)
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:583)
        at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:200)
        at org.sonar.server.platform.platformlevel.PlatformLevel.start(PlatformLevel.java:80)
        at org.sonar.server.platform.platformlevel.PlatformLevelStartup.access$001(PlatformLevelStartup.java:58)
        at org.sonar.server.platform.platformlevel.PlatformLevelStartup$1.doPrivileged(PlatformLevelStartup.java:134)
        at org.sonar.server.user.DoPrivileged.execute(DoPrivileged.java:46)
        at org.sonar.server.platform.platformlevel.PlatformLevelStartup.start(PlatformLevelStartup.java:131)
        at org.sonar.server.platform.PlatformImpl.executeStartupTasks(PlatformImpl.java:201)
        at org.sonar.server.platform.PlatformImpl$AutoStarterRunnable.runIfNotAborted(PlatformImpl.java:362)
        at org.sonar.server.platform.PlatformImpl$1.doRun(PlatformImpl.java:116)
        at org.sonar.server.platform.PlatformImpl$AutoStarterRunnable.run(PlatformImpl.java:346)
        at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: org.sonar.server.exceptions.BadRequestException: Rule was removed: OWASP:UsingComponentWithKnownVulnerabilitySecurityHotspot
        at org.sonar.server.exceptions.BadRequestException.create(BadRequestException.java:65)
        at org.sonar.server.exceptions.BadRequestException.create(BadRequestException.java:59)
        at org.sonar.server.exceptions.BadRequestException.checkRequest(BadRequestException.java:44)
        at org.sonar.server.qualityprofile.builtin.RuleActivator.doActivateRecursively(RuleActivator.java:99)
        at org.sonar.server.qualityprofile.builtin.RuleActivator.activate(RuleActivator.java:94)
        at org.sonar.server.qualityprofile.builtin.RuleActivator.lambda$activate$0(RuleActivator.java:87)
        at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
        at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625)
        at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
        at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
        at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:575)
        at java.base/java.util.stream.AbstractPipeline.evaluateToArrayNode(AbstractPipeline.java:260)
        at java.base/java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:616)
        at java.base/java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:622)
        at java.base/java.util.stream.ReferencePipeline.toList(ReferencePipeline.java:627)
        at org.sonar.server.qualityprofile.builtin.RuleActivator.activate(RuleActivator.java:89)
        at org.sonar.server.qualityprofile.builtin.BuiltInQProfileUpdateImpl.update(BuiltInQProfileUpdateImpl.java:77)
        at org.sonar.server.qualityprofile.RegisterQualityProfiles.update(RegisterQualityProfiles.java:006)
        at org.sonar.server.qualityprofile.RegisterQualityProfiles.lambda$start$1(RegisterQualityProfiles.java:104)
        at java.base/java.lang.Iterable.forEach(Iterable.java:75)
        at org.sonar.server.qualityprofile.RegisterQualityProfiles.start(RegisterQualityProfiles.java:99)
        at org.sonar.core.platform.StartableBeanPostProcessor.postProcessBeforeInitialization(StartableBeanPostProcessor.java:33)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsBeforeInitialization(AbstractAutowireCapableBeanF                       actory.java:440)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1796)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:620)
        ... 19 common frames omitted
2024.01.01 00:11:12 INFO  web[][o.s.p.ProcessEntryPoint] Hard stopping process
2024.01.01 00:11:12 INFO  web[][o.s.s.e.CoreExtensionStopper] Stopping Governance
2024.01.01 00:11:12 INFO  web[][o.s.s.e.CoreExtensionStopper] Stopping Governance (done) | time=1ms
2024.01.01 00:11:12 INFO  web[][o.s.s.n.NotificationDaemon] Notification service stopped
2024.01.01 00:11:12 INFO  web[][c.z.h.HikariDataSource] HikariPool-1 - Shutdown initiated...
2024.01.01 00:11:12 INFO  web[][c.z.h.HikariDataSource] HikariPool-1 - Shutdown completed.

==> /opt/sonarqube/logs/sonar.log <==
2024.01.01 00:11:12 INFO  app[][o.s.a.SchedulerImpl] Process[Web Server] is stopped

==> /opt/sonarqube/logs/nohup.log <==
2024.01.01 00:11:12 INFO  app[][o.s.a.SchedulerImpl] Process[Web Server] is stopped

==> /opt/sonarqube/logs/es.log <==
2024.01.01 00:11:12 INFO  es[][o.e.n.Node] stopping ...
2024.01.01 00:11:12 INFO  es[][o.e.c.f.AbstractFileWatchingService] shutting down watcher thread
2024.01.01 00:11:12 INFO  es[][o.e.c.f.AbstractFileWatchingService] watcher service stopped
2024.01.01 00:11:12 INFO  es[][o.e.n.Node] stopped
2024.01.01 00:11:12 INFO  es[][o.e.n.Node] closing ...
2024.01.01 00:11:12 INFO  es[][o.e.n.Node] closed

==> /opt/sonarqube/logs/sonar.log <==
2024.01.01 00:11:12 INFO  app[][o.s.a.SchedulerImpl] Process[ElasticSearch] is stopped
2024.01.01 00:11:12 WARN  app[][o.s.a.p.AbstractManagedProcess] Process exited with exit value [ElasticSearch]: 001

==> /opt/sonarqube/logs/nohup.log <==
2024.01.01 00:11:12 INFO  app[][o.s.a.SchedulerImpl] Process[ElasticSearch] is stopped

==> /opt/sonarqube/logs/sonar.log <==
2024.01.01 00:11:12 INFO  app[][o.s.a.SchedulerImpl] SonarQube is stopped

==> /opt/sonarqube/logs/nohup.log <==
2024.01.01 00:11:12 WARN  app[][o.s.a.p.AbstractManagedProcess] Process exited with exit value [ElasticSearch]: 001
2024.01.01 00:11:12 INFO  app[][o.s.a.SchedulerImpl] SonarQube is stopped
NIGCH commented 8 months ago

Hi @Reamer, this is happening after the security hotspot rule was removed. Does this need reinstating or does something else need to change?

Reamer commented 8 months ago

I have not yet tried this myself. I also don't know how to remove Rules. Maybe you have to mark them as deprecated first. Is there still the feature of security hotspots in SonarQube 10.2?

NIGCH commented 8 months ago

Yes, so I've created a PR to reinstate it (the original change was just to remove a deprecated method on the rule).

Reamer commented 6 months ago

I have just released 5.0.0. With the new version and the help of @NIGCH , the error should no longer occur.