SonarQube dependency check sonar plugin

4
votes

I'm having issues with displaying vulnerabilities on SonarQube. Here are the steps I followed:

  1. Installed dependency-check-sonar-plugin version 1.0.3 on SonarQube.

  2. Configured dashboard to include Vulnerabilities widjet.

  3. Generated dependency report using: mvn org.owasp:dependency-check-maven:1.3.6:check -Dformat=XML.

  4. Report was placed into [project]/target/dependency-check-report.xml

  5. Ran sonar task: org.codehaus.mojo:sonar-maven-plugin:2.3:sonar Task completed successfully but I don't see data in the Vulnerabilities widjet. Anyone has idea what could prevent plugin from seeing report?

Thanks in advance! Rada

1
dependenciessonarqube
What did you do so far to troubleshoot this ? (also: SonarQube version ? logs of the dependency check? logs of the analysis and command invoked ?)Nicolas B. - SonarSource Team
The issue was resolved. Thanks a ton to the creator of the plugin who pointed me into the right direction!rada
You should share the solution with the rest of the community :) (in StackOverflow you can answer your own question)Nicolas B. - SonarSource Team

1 Answers

6
votes

To solve the issue I contacted Steve Springett, creator of the plugin. He has great end-to-end examples of how plugin should be configured.
I added <sonar.dependencyCheck.reportPath>${dependency.check.report.dir}/dependency-check-report.xml</sonar.dependencyCheck.reportPath> to the properties of my pom and used following two plugins: 

<plugin>
    <groupId>org.codehaus.mojo</groupId>
    <artifactId>sonar-maven-plugin</artifactId>
    <version>2.6</version>
</plugin>
<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <version>1.3.1</version>
    <configuration>
        <format>XML</format>
        <outputDirectory>${dependency.check.report.dir}</outputDirectory>
    </configuration>
</plugin>