Open Manideepakakula opened 1 month ago
I'm having this same issue, I'm also not seeing package.json
in my code in Sonarqube so I'm uncertain if it might also be the cause that it cannot link the vulnerabilities to dependencies.
I do see the html report in Sonarqube and that looks fine, I can see "OWASP-Dependency-Check" in the "Measures" tab of the project with numbers of vulnerabilities there I just can't see it linked to anything or in the Project's Security Hotspots.
I'm having this same issue, I'm also not seeing
package.json
in my code in Sonarqube so I'm uncertain if it might also be the cause that it cannot link the vulnerabilities to dependencies.
For npm you need the package-lock.json
in your SCM as recommended by npm. https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json
This file is intended to be committed into source repositories
Please adjust sonar.sources
property like in the example project.
https://github.com/dependency-check/dependency-check-sonar-plugin/blob/master/examples/single-module-nodejs/sonar-project.properties#L5
After that adjustment your vulnerabilities should be link to the package-lock.json
.
pnpm-lock.yaml
are currently not supported.
18:47:34.919 INFO: No project configuration file, e.g. pom.xml, .gradle, .gradle.kts, package-lock.json found, therefore it isn't possible to correctly link dependencies with files.
pnpm-lock.yaml is not recognized as configuration file, so the vulnerabilites found via the dependecy-check report are not shown in sonarqube. how can I add these vulnerabilities to sonarqube.
here is my sonar-scanner logs for dependency-check