Sonar dependency check multi project setup

[pellepelster]

Describe the bug

I am not sure if this is a bug, or intentional design, but I am struggling to grasp how the plugin is supposed to work in a multi-project setup, where the root (parent) Gradle project hosts a number of submodules. Based on examples/single-module-gradle I was able to upload and use a report of a simple single module project, but with multiple modules this approach fails.

To Reproduce

Assuming a multimodule setup, where the dependency check is applied to all subprojects, after running the dependency check I get this (expected) result:

project_root/
│
├─ module1/
│      ├─ build/reports/
│      │     └─ dependency-check-report.json
│      │     └─ dependency-check-report.html
│      └─ build.gradle (1)
├─ module2/
│      ├─ build/reports/
│      │     └─ dependency-check-report.json
│      │     └─ dependency-check-report.html
│      └─ build.gradle (2)
├─ [...]
└─ build.gradle (3)

configuring module1 (1) or module2 (2) with

sonarqube {
    properties {
        property 'sonar.dependencyCheck.jsonReportPath', 'build/reports/dependency-check-report.json'
        property 'sonar.dependencyCheck.htmlReportPath', 'build/reports/dependency-check-report.html'
    }
}

does not seem to have any effect, in Sonar I get No HTML-Report found. Please check property sonar.dependencyCheck.htmlReportPath and also no security issues for vulnerable dependencies. I tried multiple ways of providing the sonar.dependencyCheck.*ReportPath including absolute path, but it never worked. My question is should this work at all, respectively what is the intended way to use this plugin in multimodule setups?

Versions (please complete the following information):

• dependency-check: 8.2.1
• sonarqube: 10.5
• dependency-check-sonar-plugin: 5.0.0.4638