K44sper
commented
9 months ago Hi all,
Found the answer,
The dependency-check sonar quality gates are based on CVSSv2 and CVSSv3 scores,
It can happen that you have a severity High in the dependency-check report but with a CVSS score greater than 9,
Also by default the mapping is the following between CVSS score and
| CVSS score | Sonar.dependency-check mapping |
|---|---|
| > 9.0 | Blocker |
| > 8.0 | Critical |
| > 7.0 | Major |
| > 4.0 | Minor |
And between Sonar.dependency-check and Quality gates metrics
| Sonar.dependency-check mapping | Quality gates dependency-check sonarQube plugin |
|---|---|
| Blocker | Critical |
| Critical | High |
| Major | Medium |
| Minor | Low |
In my case I had a "high" CVE with a score > 9, so my quality gates failed with "you have a critical"
Improvements can be to align the different matrix :
- If a CVE has a score > 9 then mark it as Critical in the report
- Align Sonar.dependency-check mapping with what we have in terms of quality gates wording
Hi all,
This message following a request on sonar community, original post : Original Sonar feedback : https://community.sonarsource.com/t/quality-gates-owasp-dependency-check/103427
Sonar indicates to reach-out dependency-check maintainers
I use SonarQube 9.9.1 LTS with dependency-check plugin version 4.0
I set the following dependency-check quality gates on “Overall code”
"Critical Severity Vulnerabilities is greater than 0 "
The quality gates fails with the following message :
Issue : There is 0 critical vulnerability in dependency-check report
When clic on the finding, we have the following :
Question :
How to explain this since there is not any critical in dependency-check report and sonarqube is supposed to aggregate this report ?