search

dependency-check / dependency-check-sonar-plugin

Integrates Dependency-Check reports into SonarQube
575 stars 132 forks source link

Issues and hotspots doesn't include dependency-check vulnerabilities #952

Open arturkasperek opened 1 month ago

arturkasperek commented 1 month ago

Describe the bug I'm using the following settings when running the scanner:

        -Dsonar.dependencyCheck.securityHotspot=true \
        -Dsonar.dependencyCheck.jsonReportPath=owasp-reports/dependency-check-report.json \
        -Dsonar.dependencyCheck.htmlReportPath=owasp-reports/dependency-check-report.html \
        -Dsonar.dependencyCheck.xmlReportPath=owasp-reports/dependency-check-report.xml \

I don't see any errors on SQ server or gitlabCI job dependency check logs. After all, I can see an extra item to access the report:

Zrzut ekranu 2024-06-4 o 14 42 37

It has vulnerabilities and right now don't sure why they are not included either on Issues or Security hotspots In previous versions I saw that dependency check sonar plugin was also reporting on Issues - don't sure why it doesn't work

Versions (please complete the following information):

Reamer commented 1 month ago

xmlReportPath is deprecated and removed. Security Hotspot Feature is deprecated as well.

arturkasperek commented 1 month ago

@Reamer hm - can I somehow integrate deps scan audit with sq native issues?

Erry91 commented 1 month ago

I am also interested in how to make vulnerabilities detections reported in the dependency-check scan appear in either "Issues" or "Security Hotspots"

Reamer commented 1 month ago

@Reamer hm - can I somehow integrate deps scan audit with sq native issues?

Try deactivating the security hotspot feature.

mutzbraten commented 1 week ago

xmlReportPath is deprecated and removed. Security Hotspot Feature is deprecated as well.

Where do I find documentation about the deprecation of security hotspot feature? Is there any alternative suggested? Does this mean, the bug will not be fixed?