search

dependency-check / dependency-check-sonar-plugin

Integrates Dependency-Check reports into SonarQube
590 stars 134 forks source link

Dependency-Check JSON report does not exists. JSON-Analysis skipped/aborted due to missing report file #954

Open Katheeja-Yasmin opened 3 months ago

Katheeja-Yasmin commented 3 months ago

I am not able to see any results when i run sonarscanner for my java maven project.Dependency check showing no results. I have configured dependency check plugin for my sonarqube.and included below properties in my sonar-project.properties file.

sonar.dependencyCheck.htmlReportPath=target/dependency-check-report.html sonar.dependencyCheck.jsonReportPath=target/dependency-check-report.json sonar.dependencyCheck.reportPath=target/dependency-check-report.xml

Here is my jenkins log related to dependency check:

09:43:46.560 INFO: Sensor Dependency-Check [dependencycheck] 09:43:46.561 INFO: Dependency-Check - Start 09:43:46.562 INFO: Using JSON-Reportparser 09:43:46.563 INFO: Dependency-Check JSON report does not exists. Please check property sonar.dependencyCheck.jsonReportPath:/var/lib/jenkins/workspace/dummy-test/target/dependency-check-report.json 09:43:46.563 INFO: JSON-Analysis skipped/aborted due to missing report file 09:43:46.566 DEBUG: JSON-Dependency-Check report does not exist. java.io.FileNotFoundException: JSON-Dependency-Check report does not exist. at org.sonar.dependencycheck.report.JsonReportFile.getJsonReport(JsonReportFile.java:37) at org.sonar.dependencycheck.DependencyCheckSensor.parseAnalysis(DependencyCheckSensor.java:66) at org.sonar.dependencycheck.DependencyCheckSensor.execute(DependencyCheckSensor.java:129) at org.sonar.scanner.sensor.AbstractSensorWrapper.analyse(AbstractSensorWrapper.java:64) at org.sonar.scanner.sensor.ProjectSensorsExecutor.execute(ProjectSensorsExecutor.java:52) at org.sonar.scanner.scan.SpringProjectScanContainer.doAfterStart(SpringProjectScanContainer.java:169) at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:223) at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:202) at org.sonar.scanner.bootstrap.SpringScannerContainer.doAfterStart(SpringScannerContainer.java:351) at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:223) at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:202) at org.sonar.scanner.bootstrap.SpringGlobalContainer.doAfterStart(SpringGlobalContainer.java:138) at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:223) at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:202) at org.sonar.batch.bootstrapper.Batch.doExecute(Batch.java:71) at org.sonar.batch.bootstrapper.Batch.execute(Batch.java:65) at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:46) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.base/java.lang.reflect.Method.invoke(Unknown Source) at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60) at jdk.proxy1/jdk.proxy1.$Proxy0.execute(Unknown Source) at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:189) at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:138) at org.sonarsource.scanner.cli.Main.execute(Main.java:126) at org.sonarsource.scanner.cli.Main.execute(Main.java:81) at org.sonarsource.scanner.cli.Main.main(Main.java:62)

09:43:46.566 INFO: Dependency-Check HTML report does not exists. Please check property sonar.dependencyCheck.htmlReportPath:/var/lib/jenkins/workspace/dummy-test/target/dependency-check-report.html 09:43:46.566 INFO: HTML-Dependency-Check report does not exist. 09:43:46.567 DEBUG: HTML-Dependency-Check report does not exist. java.io.FileNotFoundException: HTML-Dependency-Check report does not exist. at org.sonar.dependencycheck.report.HtmlReportFile.getHtmlReport(HtmlReportFile.java:37) at org.sonar.dependencycheck.DependencyCheckSensor.uploadHTMLReport(DependencyCheckSensor.java:82) at org.sonar.dependencycheck.DependencyCheckSensor.execute(DependencyCheckSensor.java:137) at org.sonar.scanner.sensor.AbstractSensorWrapper.analyse(AbstractSensorWrapper.java:64) at org.sonar.scanner.sensor.ProjectSensorsExecutor.execute(ProjectSensorsExecutor.java:52) at org.sonar.scanner.scan.SpringProjectScanContainer.doAfterStart(SpringProjectScanContainer.java:169) at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:223) at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:202) at org.sonar.scanner.bootstrap.SpringScannerContainer.doAfterStart(SpringScannerContainer.java:351) at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:223) at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:202) at org.sonar.scanner.bootstrap.SpringGlobalContainer.doAfterStart(SpringGlobalContainer.java:138) at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:223) at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:202) at org.sonar.batch.bootstrapper.Batch.doExecute(Batch.java:71) at org.sonar.batch.bootstrapper.Batch.execute(Batch.java:65) at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:46) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.base/java.lang.reflect.Method.invoke(Unknown Source) at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60) at jdk.proxy1/jdk.proxy1.$Proxy0.execute(Unknown Source) at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:189) at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:138) at org.sonarsource.scanner.cli.Main.execute(Main.java:126) at org.sonarsource.scanner.cli.Main.execute(Main.java:81) at org.sonarsource.scanner.cli.Main.main(Main.java:62)

09:43:46.567 INFO: Dependency-Check - End

Here is my version details Sonarqube - 10.4 sonar dependency check plugin - 5.0.0 Sonarscanner - 5.0.1

Kindly help me to resolve this issue.

Reamer commented 3 months ago

This plugin does not generate the reports, these must first be created with dependency-check. Are the reports available under the paths?

Katheeja-Yasmin commented 3 months ago

Hi Reamer, I could able to resolve this issue for my java maven project. The new issue here is i am not able to run dependency check for javascript/nodejs or am not sure is there any config missing from my side.so here is the details. I have a javascript project which is utilizing jenkins groovy script for ci. I have sonarqube configuration with sonar-project.properties file which tells sonar to pick the dependency check reports from the below path.

sonar.dependencyCheck.htmlReportPath=target/dependency-check-report.html sonar.dependencyCheck.jsonReportPath=target/dependency-check-report.json sonar.dependencyCheck.reportPath=target/dependency-check-report.xml sonar.dependencyCheck.summarize=true

I added below commands in my jenkins build stage. npm install npm install -D owasp-dependency-check npm run build

and added below line in my package.json file under scripts. "scripts": { "start": "react-scripts start", "build": "CI=false PUBLIC_URL=/ react-app-rewired build", "test": "react-scripts test", "test:dependency": "owasp-dependency-check --project \"project-name\" --scan \"package-lock.json\" --exclude \"dependency-check-bin\" --out \"target\" --format HTML", "eject": "react-scripts eject" }

But i am not able to generate the report and could see below info in my jenkins logs.

INFO: Sensor Dependency-Check [dependencycheck] INFO: Dependency-Check - Start INFO: Using JSON-Reportparser INFO: Dependency-Check JSON report does not exists. Please check property sonar.dependencyCheck.jsonReportPath:/var/lib/jenkins/workspace/project_name/target/dependency-check-report.json INFO: JSON-Analysis skipped/aborted due to missing report file INFO: Dependency-Check HTML report does not exists. Please check property sonar.dependencyCheck.htmlReportPath:/var/lib/jenkins/workspace/project_name/target/dependency-check-report.html INFO: HTML-Dependency-Check report does not exist. INFO: Dependency-Check - End

I am new in configuring dependency check for javascript.Please help me to generate the report. Thanks

Reamer commented 2 months ago

The dependency check report is not created by this plugin, please do this in a separate step. This plugin only reads the report when the SonarQube scanner is running.

github-actions[bot] commented 1 day ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.