Jenkins, Gradle : How to publish Dependency report to Sonar Dashboard

0
votes

Currently we're using Jenkins free style job for Gradle project and using following commands to run Sonar and Dependencycheck

./gradlew clean build sonarqube dependencyCheckAnalyze \

and I'm getting following message

Analyzing /opt/jenkins_slave_home/workspace/AA/package-lock.json - however, the node_modules directory does not exist. Please run npm install prior to running dependency-check Generating report for project AA_ArbitraryBuild Found 0 vulnerabilities in project AA

and we can able to see a file inside "ws/build/reports/" but it dint scanned anything.

Following are the "build.gardle" file

buildscript {
    repositories {
        maven { url artifactoryRepoUrl }
        mavenCentral()
    }
    dependencies {
        classpath 'org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:2.7'
        classpath 'org.owasp:dependency-check-gradle:6.0.3'
    }
}

apply plugin: 'org.sonarqube'
apply plugin: 'org.owasp.dependencycheck'

sonarqube {
    properties {
        property 'sonar.projectName', sonarProjectName
        property 'sonar.projectKey', sonarProjectKey
        property 'sonar.host.url', sonarHostUrl
        property 'sonar.login', sonarAuthToken
        property 'sonar.dependencyCheck.reportPath', sonarDependencyCheckReport
        property 'sonar.dependencyCheck.htmlReportPath', sonarDependencyCheckHTMLReport
    }
}

Can you plz help on what are the additional steps that I need to add.

1
jenkinsgradlesonarqubemaven-dependency-check-plugin
Does your project have any javascript files or using nodejs? If yes, then if you want them to scan using SonarQube or want to exclude them ?Sourav Atta
Yes Sourav, we've node files and we need to scan them with SonarQubekarthikN
Then, before the sonar scan stage, you need to run npm install as suggested in the error as well.Sourav Atta
I can able to see report in <JenkinsWorkspace>/builds/reports/dependency-check-report.html but not able to publish into Sonar DashboardkarthikN
dependencyCheckAnalyze must be run before sonarqube as you want the report files to exist before upload to sonar.Lucas Holt

1 Answers

0
votes

You've got all you need to push result to sonar. Make sure that you provide right path for your owasp vulnerabilities report for sonar plugin. It's sonar.dependencyCheck.reportPath and should point to build/reports directroy, and if you produce html report file you can point it with sonar.dependencyCheck.htmlReportPath.