search

umax / trivy-plugin-sonarqube

A Trivy plugin that converts JSON report to SonarQube format
Apache License 2.0
28 stars 6 forks source link

Failed to parse report: missing mandatory field 'engineId' #5

Closed cpglsn closed 2 months ago

cpglsn commented 2 months ago

First of all thanks for the support and the tool!

I get the error in the title when i try to convert trivy report. What should i do in order to fix it? Please let me know if you need more details.

sonar-scan version:

$ sonar-scanner -v
INFO: Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties
INFO: Project root configuration file: NONE
INFO: SonarScanner 5.0.1.3006
INFO: Java 17.0.11 Alpine (64-bit)
INFO: Linux 6.10.3-200.fc40.x86_64 amd64

Sonarqube version: v9.9.6 (build 92038) running on sonarqube:lts-community container

trivy version:

$ trivy -v
Version: 0.50.4
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-08-13 18:13:34.631086497 +0000 UTC
  NextUpdate: 2024-08-14 00:13:34.631086116 +0000 UTC
  DownloadedAt: 2024-08-13 22:32:07.188506217 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-07-19 01:05:56.417935069 +0000 UTC
  NextUpdate: 2024-07-22 01:05:56.417934939 +0000 UTC
  DownloadedAt: 2024-07-19 13:29:27.121636574 +0000 UTC
Policy Bundle:
  Digest: sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3
  DownloadedAt: 2024-08-06 05:33:15.615726005 +0000 UTC

$ trivy plugin list
Installed Plugins:
  Name:    sonarqube
  Version: 0.3.1

command run:

trivy image alpine:3.12.3 \
  --severity HIGH,CRITICAL \
  --timeout 10m \
  --scanners vuln \
  --format json \
  --severity HIGH,CRITICAL \
  --no-progress \
  --ignore-unfixed \
  --output=trivy.json

trivy sonarqube trivy.json > sonarqube.json

sonar-scanner \
  -Dsonar.projectKey=test \
  -Dsonar.sources=. \
  -Dsonar.host.url=http://IP:9001 \
  -Dsonar.login=TOKEN \
  -Dsonar.externalIssuesReportPaths=sonarqube.json
cpglsn commented 2 months ago

Apparently the generated format is compatible with sonarqube:10.6 while i was running sonarqube:9.9.6 (currently the lts version).

Mystery solved.

PS If you have time, it would be great to add a compatibility list (plugin_version <-> sonarqube_version).

Thanks!

yehudi-mikhael-brito commented 1 month ago

@cpglsn What was your solution to this problem? Did you use the sonar-scanner:11.0 docker image?