Can't see CVEs (vulnerabilities) on Sonar UI under Project>Issues. Used to see them in the past. Has anything changed?

[mansing2]

Describe the bug We're using a combination of Jenkins and Sonar Plugin of DependencyCheck. The reports in HTML and JSON getting generated during pipeline build in Jenkins and also could see html reports from Project>More>Dependency Check, but the vulnerabilities (CVEss) are no longer listed under Project>Issues>Security Category>OWASP Top 10. We were able to see the CVEs there in the past.

Has anything been changed?

Version of dependency-check used Jenkins Dependency Check plugin: 5.4.0 Sonar Dependency check plugin: 3.0.1

Expected behavior It should show CVEs identified under OWASP TOP 10 category under Issues like we used to see in the past as below.

I read about this https://sonarsource.atlassian.net/browse/SONAR-11970 but not sure if that's the reason behind now showing up CVEs under OWASP Top 10 category.

[aikebah]

Most likely is that you run into an incompatibility with the DependencyCheck version that you run and the Sonar Dependency Check plugin (which is separate from this project). The reports that DependencyCheck creates have seen some changes in the context of Known Exploited Vulnerabilities, for which the Sonar plugin needed to be adapted.

https://github.com/dependency-check/dependency-check-sonar-plugin/releases/tag/3.1.0

[mansing2]

Thanks @aikebah that was the issue, I used the compatible depende-check plugin in jenkins and fixed the issue.