Project level issues not displayed

[Fraserhardy]

Expected Behavior

Using the dependency check plugin (https://github.com/stevespringett/dependency-check-sonar-plugin) it is creating issues at a project level. We've noticed that we have PR's where no comments appear within the code, but the top comment states that there are issues. Would it be possible to add a PR level comment for any issues not linked to lines of code?

Actual Behavior

The PR comment states there are issues but the actual issue is not displayed.

Plug-in version, SonarQube version, CI system, build type

SonarQube Version 6.2 sonar-bitbucket-plugin v1.2.3

[StFS]

Sorry to hijack your issue a bit @Fraserhardy, but did you have to do anything special to get sonar-bitbucket-plugin working nicely with dependency-check-sonar-plugin?

I have the same setup and I created a PR where I intentionally added a new vulnerable dependency. I can see from the command line output that it is being picked up and associated with the correct CVE but the sonar-bitbucket-plugin just comments that everything is honky dory and there are no problems?

Any chance you can point me in a generally correct direction?

[Fraserhardy]

@StFS I actually may have been mistaken on this one, as after some further testing (by specifically adding vulnerable deps) we found this didn't have the same behaviour. It turned out that actually we had a different issue where somehow lines which hadn't been changed as part of the PR were being flagged by sonar but then the comment not applied within the PR so tracking them down became a bit of a manual process. I personally would like to see the ability for an overall PR comment for dependency check though so we should probably open a separate FR ticket for this.

[StFS]

I did exactly that @Fraserhardy : https://github.com/mibexsoftware/sonar-bitbucket-plugin/issues/79

Please feel free to add more details if you can think of any that might help with this.