srcimon
commented
9 months ago Problem is fixed in 4.0.1-SNAPSHOT with Commit https://github.com/dependency-check/dependency-check-sonar-plugin/commit/2bfcbbcab316122d8f427d1d58d4a8ac9f20cac6
Closed srcimon closed 8 months ago
srcimon
commented
9 months ago Problem is fixed in 4.0.1-SNAPSHOT with Commit https://github.com/dependency-check/dependency-check-sonar-plugin/commit/2bfcbbcab316122d8f427d1d58d4a8ac9f20cac6
srcimon
commented
9 months ago Is there any plan to release 4.0.1 in the near future, @Reamer?
SudoHenk
commented
8 months ago Can confirm that with the latest commit it works in combination with OWASP Dependency Check 9.0.2.
Any indication on when the release 4.0.1 will be made? @Reamer
rounak-codiant
commented
8 months ago I am also facing the same error on PHP/Node projects. Unable to upload JSON report to Sonarqube.
ERROR: JSON-Analysis aborted
Properties file config:
sonar.dependencyCheck.htmlReportPath=dependency-check-report.html
sonar.dependencyCheck.jsonReportPath=dependency-check-report.jsonVersions Details: Dependency-Check Core version 9.0.4 Sonarqube Community Edition Version 9.9 (build 65466) Plugin Version: dependency-check-sonar-plugin 4.0.0 (Tried 3.1.0 as well)
Below is debug output:
15:29:59.036 INFO: Sensor Dependency-Check [dependencycheck]
15:29:59.036 INFO: Process Dependency-Check report
15:29:59.038 INFO: Using JSON-Reportparser
15:29:59.644 WARN: JSON-Analysis aborted
15:29:59.645 DEBUG: Problem with JSON-Report-Mapping
org.sonar.dependencycheck.parser.ReportParserException: Problem with JSON-Report-Mapping
at org.sonar.dependencycheck.parser.JsonReportParserHelper.parse(JsonReportParserHelper.java:44)
at org.sonar.dependencycheck.DependencyCheckSensor.parseAnalysis(DependencyCheckSensor.java:68)
at org.sonar.dependencycheck.DependencyCheckSensor.execute(DependencyCheckSensor.java:131)
at org.sonar.scanner.sensor.AbstractSensorWrapper.analyse(AbstractSensorWrapper.java:64)
at org.sonar.scanner.sensor.ProjectSensorsExecutor.execute(ProjectSensorsExecutor.java:52)
at org.sonar.scanner.scan.SpringProjectScanContainer.doAfterStart(SpringProjectScanContainer.java:371)
at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:188)
at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:167)
at org.sonar.scanner.bootstrap.SpringGlobalContainer.doAfterStart(SpringGlobalContainer.java:137)
at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:188)
at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:167)
at org.sonar.batch.bootstrapper.Batch.doExecute(Batch.java:72)
at org.sonar.batch.bootstrapper.Batch.execute(Batch.java:66)
at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:46)
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
at java.base/java.lang.reflect.Method.invoke(Method.java:580)
at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60)
at jdk.proxy1/jdk.proxy1.$Proxy0.execute(Unknown Source)
at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:189)
at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:138)
at org.sonarsource.scanner.cli.Main.execute(Main.java:126)
at org.sonarsource.scanner.cli.Main.execute(Main.java:81)
at org.sonarsource.scanner.cli.Main.main(Main.java:62)
Caused by: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "confidentialityImpact" (class org.sonar.dependencycheck.parser.element.CvssV2), not marked as ignorable (2 known properties: "score", "severity"])
at [Source: (sun.nio.ch.ChannelInputStream); line: 1, column: 4668968] (through reference chain: org.sonar.dependencycheck.parser.element.Analysis["dependencies"]->java.util.ArrayList[7649]->org.sonar.dependencycheck.parser.element.Dependency["vulnerabilities"]->java.util.ArrayList[0]->org.sonar.dependencycheck.parser.element.Vulnerability["cvssv2"]->org.sonar.dependencycheck.parser.element.CvssV2["confidentialityImpact"])
at com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException.from(UnrecognizedPropertyException.java:61)
at com.fasterxml.jackson.databind.DeserializationContext.handleUnknownProperty(DeserializationContext.java:1132)
at com.fasterxml.jackson.databind.deser.std.StdDeserializer.handleUnknownProperty(StdDeserializer.java:2202)
at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownProperty(BeanDeserializerBase.java:1705)
at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownProperties(BeanDeserializerBase.java:1655)
at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeUsingPropertyBased(BeanDeserializer.java:460)
at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromObjectUsingNonDefault(BeanDeserializerBase.java:1405)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:352)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:185)
at com.fasterxml.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:542)
at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeWithErrorWrapping(BeanDeserializer.java:564)
at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeUsingPropertyBased(BeanDeserializer.java:439)
at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromObjectUsingNonDefault(BeanDeserializerBase.java:1405)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:352)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:185)
at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer._deserializeFromArray(CollectionDeserializer.java:359)
at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:244)
at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:28)
at com.fasterxml.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:542)
at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeWithErrorWrapping(BeanDeserializer.java:564)
at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeUsingPropertyBased(BeanDeserializer.java:439)
at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromObjectUsingNonDefault(BeanDeserializerBase.java:1405)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:352)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:185)
at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer._deserializeFromArray(CollectionDeserializer.java:359)
at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:244)
at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:28)
at com.fasterxml.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:542)
at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeWithErrorWrapping(BeanDeserializer.java:564)
at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeUsingPropertyBased(BeanDeserializer.java:439)
at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromObjectUsingNonDefault(BeanDeserializerBase.java:1405)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:352)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:185)
at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:323)
at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4730)
at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3714)
at org.sonar.dependencycheck.parser.JsonReportParserHelper.parse(JsonReportParserHelper.java:40)
... 22 common frames omitted
15:29:59.795 INFO: Upload Dependency-Check HTML-Report
15:30:00.117 INFO: Process Dependency-Check report (done) | time=1080ms
15:30:00.117 INFO: Sensor Dependency-Check [dependencycheck] (done) | time=1081ms
Reamer
commented
8 months ago I have created a new release. Could you please test this version? I will then add this version to the SonarQube Marketplace.
srcimon
commented
8 months ago My colleagues will...
rounak-codiant
commented
8 months ago Yes, now it worked for me. Thanks!!
Reamer
commented
8 months ago The new version should then be downloadable via the Marketplace. https://github.com/SonarSource/sonar-update-center-properties/pull/478
SudoHenk
commented
8 months ago Can confirm that it works with the 4.0.1 release, thanks for releasing it!
Describe the bug After upgrading the maven-dependency-check from 8.4.3 to version 9.0.4 (no 9.0.x version works) my Sonarqube instance doesn't show vulnerabilities anymore. I've activated HTML and JSON Report. The HTML Report ist shown properly (with vulnerabilities found) in Sonarqube. The logfile contains a generic warning concerning the JSON Report:
I'm using the latest version of dependency-check-sonar-plugin 4.0.0 and I really cant tell any major difference within the JSONs created via the plugin.
If I disable the JSON report the message gets more specific and tells that there is no JSON report as expected. This shows that the report is found but cannot be processed in my initial setup:
To Reproduce Sorry project is not open source.
Current behavior JSON report is not loaded: "JSON-Analysis aborted"
Expected behavior JSON report is loaded
Versions (please complete the following information):
Additional context see also: https://github.com/jeremylong/DependencyCheck/issues/6261