I am trying to use this plugin in Sonhrqube 6.0 which uses the new API org.sonarsource.sonarqube
sonar-plugin-api
6.0

and the new builder

Everything has changed so much that I don't really know where to start. I tried installing it as is but, I see no results or errors in the logs. I am running the Dependency check from Maven inside of Bamboo which produces the correct xml file, in the target folder. The problem seems to be in the sonar application. I installed the jar file in sonar/extensions/plugins and then modified sonar/conf/sonar.properties file to include the sonar.dependencyCheck.reportPath={direct path to xml file} with no results. I concluded that it must be a version problem.

Hi Steve,

First of all I want to thank you for writing and sharing this plugin to view dependency check information in Sonar. I've been playing with Sonar and your plugin for a while and I have a question if you don't mind regarding the report I see in Sonar. If I go to Measures I see a list of OWASP dependency items listed with their corresponding totals. When I click one say "High Severity Vulnerabilities" I see the total vulnerabilities then 3 headings - list, tree and history. The list does not display anything although the tree and the history columns do when clicked. Am I supposed to see something in the list ? Like location in the code where the vulnerability was found ? Thanks a lot!

Screenshot

Tools Used: Sonarqube 5.6.3, Gradle 2.9 and org.owasp.dependencycheck

Regards,

Jedd

In the newer version of the dependency scanner a ? can be included in the file path of issues. This ? is causing the import to fail. Quick fix would be to filter out the ? part of the path.

Caused by: java.nio.file.InvalidPathException: Illegal char <?> at index 39: ..\package.json?moment
at sun.nio.fs.WindowsPathParser.normalize(Unknown Source)
at sun.nio.fs.WindowsPathParser.parse(Unknown Source)
at sun.nio.fs.WindowsPathParser.parse(Unknown Source)
at sun.nio.fs.WindowsPath.parse(Unknown Source)
at sun.nio.fs.WindowsFileSystem.getPath(Unknown Source)
at java.io.File.toPath(Unknown Source)
at org.sonar.api.scan.filesystem.PathResolver.relativePath(PathResolver.java:121)
at org.sonar.api.batch.fs.internal.AbsolutePathPredicate.get(AbsolutePathPredicate.java:52)
at org.sonar.api.batch.fs.internal.DefaultFileSystem.inputFiles(DefaultFileSystem.java:149)
at org.sonar.api.batch.fs.internal.DefaultFileSystem.inputFile(DefaultFileSystem.java:115)
at org.sonar.dependencycheck.DependencyCheckSensor.addIssues(DependencyCheckSensor.java:126)
at org.sonar.dependencycheck.DependencyCheckSensor.execute(DependencyCheckSensor.java:209)
... 35 more

Hello, I installed the plugin into my sonar instance however when I try to load the widget I get a blank page. I have confirmed the report exists in my Jenkins workspace and am able to view it in Jenkins. I believe everything is set up correctly; I left the defaults in all configs for Jenkins/Sonarqube project. Looking at Chrome developer tools I see the following error when trying to load the widget:

"report.js:9 Uncaught (in promise) TypeError: Cannot read property 'value' of undefined
at report.js:9
at "

Any thoughts?

Is there a way to put the dependency vulnerabilities in a separate category than code vulnerabilities? I'd like to place them in something like 'dependencies vulns' instead of 'vulnerabilities'.

The reason is there are multiple times more dependency vulns than code vulns and it is clogging up the issues, making it difficult to triage. I'm able to filter it out by language (since dep vulns are 'general' language), but it's still throwing off the vulnerability count in a lot in some of the projects.

Hello.

I'm using Sonar 5.6.5 with OWASP DC plugin 1.0.3. My jobs on Jenkins run dependency check (using maven plugin), and the results are collected on Jenkins. But the Sonar sensor is not launched (no log, no error in console out), and thus analysis results are not collected...

Should I configure something on the Sonar side to activate the sensor. Other analysis sensors run as expected : Cobertura, PMD, etc...

Thanks for your help.

Regards.

SONAR version: 6.7
Jenkins version: 2.7.2
Dependency-Check Jenkins Plugin version: 3.1.2
Dependency-Check SONAR Plugin version: 1.1.0

I could see dependency-check-report.xml was generated successfully, but still couldn't see anything from 'Measures' tab or 'More->Dependency Check' tab as below.

Your help would be highly appreciated.

Allow the analysis to be enabled (on/off) per project.

The sonar:sonar step will fail on a multimodule project where the top level has packaging of "pom"

You get an error like this:
Failed to execute goal org.codehaus.mojo:sonar-maven-plugin:2.6:sonar (default-cli) on project MyTopModuleName: Dependency-Check report does not exist. Please check property sonar.dependencyCheck.reportPath: dependency-check-report.xml

Hi,

We are using SonarQube 5.1.1 with the plugin installed. The SonarQube server logs seem to indicate that the plugin has been installed and is working. I can add the widget to our project dashboards but when I publish our project to Sonar using Maven we get no results. We also don't get any mention of the plugin sensor being activated in the log output?

The xml file from the OWASP plugin is being created and we've added the report location as a property to the project POM file.

How can I ensure that the plugin is working correctly and what the issue might be?

Best regards

Matt

After copying the 1.1.0 jar to the extensions/plugins dir and restarted, this is the error in the sonarqube log (and the server crashes). Maybe there is an attribute in the pom.xml missing?

In our SonarQube server some issues already mark as won't fix, but after some days, it will be auto marked as fixed(closed). And then it will be report again after few days.

I'm not sure what's wrong with it and what kind of issues will be mark as new issue?

When sonar analysis is run for a multi-module project and some of the modules (e.g. parent project) don't contain the report, Sonar analysis fails.

I.e. when the analysis is started using

mvn sonar:sonar -Dsonar.dependencyCheck.reportPath=target/dependency-check-report.xml

then all modules (including parent one) are expected to contain this file otherwise the analysis fails with

java.io.FileNotFoundException: Dependency-Check report does not exist.

It would be better if missing report didn't cause the analysis to fail.

It seems that there are a lot of changes for sonarqube 5.2. If you try to run the plugin in 5.2 you get the following error

Caused by: java.lang.UnsupportedOperationException: Not supported during sensor phase
        at org.sonar.batch.issue.DeprecatedIssueBuilderWrapper.attribute(DeprecatedIssueBuilderWrapper.java:117)
        at org.sonar.dependencycheck.DependencyCheckSensor.addIssue(DependencyCheckSensor.java:96)
        at org.sonar.dependencycheck.DependencyCheckSensor.addIssues(DependencyCheckSensor.java:153)
        at org.sonar.dependencycheck.DependencyCheckSensor.analyse(DependencyCheckSensor.java:178)

I can't find an official upgrade guide for plugins so I'm only guessing at what steps are needed.

• parent is now org.sonarsource.sonar-plugins:parent:22
• api artifact is org.sonarsource.sonarqube:sonar-plugin-api
• packaging plugin is org.sonarsource.sonar-packaging-maven-plugin:sonar-packaging-maven-plugin
• @javax.annotation.ParametersAreNonnullByDefault isn't on the classpath. I'm not sure what is to replace it.
• You use commons-lang a lot. It's not on the classpath, but packages like org.sonar.api.internal.apachecommons.lang.StringUtils are. I think that commons lang will need to be defined for the plugin.
• IssueBuilder has changed so tests won't compile
• javax.annotation.CheckForNull isn't on the classpath anymore

This link talks about plugins having an isolated classloader, so maybe it's simply enough to put the existing versions of dependencies that the plugin uses into the pom.
http://docs.sonarqube.org/display/DEV/Coding+a+Plugin

Hi folks,

I tried some possibility with de plugin ... and I have same issue each time.
it's impossible to view the result in Sonar.

My Configuration :
Jenkins CI - v2.73.3
Plugin : OWASP Dependency-Check Plugin - v3.0.2

SonarQube CI - v6.7(build 33306)
Plugin : Dependency-Check - v1.1.0

If I use Syntaxe Pipeline Plugin, I juste see the report in Jenkins ... nothings in SonarQube.

dependencyCheckAnalyzer datadir: 'dependency-check-data', hintsFile: '', includeCsvReports: false, includeHtmlReports: false, includeJsonReports: false, includeVulnReports: true, isAutoupdateDisabled: false, outdir: '', scanpath: '', skipOnScmChange: false, skipOnUpstreamChange: false, suppressionFile: '', zipExtensions: ''
                    
dependencyCheckPublisher canComputeNew: false, defaultEncoding: '', healthy: '', pattern: '', unHealthy: ''

archiveArtifacts allowEmptyArchive: true, artifacts: '**/dependency-check-report.xml', onlyIfSuccessful: true

if I use :

sh 'mvn clean package dependency-check:check'
                
withSonarQubeEnv('SonarQube-Loto') {
   // requires SonarQube Scanner for Maven 3.2+
   sh 'mvn org.sonarsource.scanner.maven:sonar-maven-plugin:3.2:sonar'
   //sh 'mvn sonar:sonar'
}

i see nothing anyware.

The last sentence, are in exemple of : https://github.com/stevespringett/dependency-check-sonar-plugin/tree/master/examples/multi-module-maven-runner

I try to use this in DeclarativePipeline.

My DP of Jenkinsfile :

#!/usr/bin/env groovy
pipeline {
    agent {
        label "master" //valeur par default
    }

    tools {
        jdk 'jdk8' //spécification du JDK
    }

    options {
        buildDiscarder(logRotator(numToKeepStr:'10'))
        timeout(time: 30, unit: 'MINUTES')
        gitLabConnection('gitlab-loto')
    }

    environment {       
        lstDistribution = "[email protected];"
    }
    stages {

        stage("Config") {
            steps {
                echo "voici le chemin du workspace"
                echo "${WORKSPACE}"
            }
        }
        
        stage("Analyse Code Quality") {            
            steps {
                echo "Static Code Analysis"
                
                sh 'mvn clean package dependency-check:check'
                
                withSonarQubeEnv('SonarQube-Loto') {
                    // requires SonarQube Scanner for Maven 3.2+
                    sh 'mvn org.sonarsource.scanner.maven:sonar-maven-plugin:3.2:sonar'
                    //sh 'mvn sonar:sonar'
                }

            }
        }
     }

    post {
        always {
            echo "Fin de l'exécution du pipeline"
            //deleteDir()                             //Nettoyage du workspace
        }
    }    
}

Regards for your help.

It would be good if the plug-in could be enabled and disable through the Sonar GUI.

While the plugin can be installed manually, it would be nice if it is included in the Sonarqube marketplace.

See: https://docs.sonarqube.org/display/DEV/Deploying+to+the+Marketplace

This helps management of updates a bit nicer.

Hi,

I have been testing the plugin, and it has not worked properly.

When I get a report without vulnerabilities, the plugin works fine, but when the report has any vulnerabilities, the plugin breaks the analysis because in the following line, the inputFile object is always null.

https://github.com/stevespringett/dependency-check-sonar-plugin/blob/master/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/DependencyCheckSensor.java#L152

InputFile inputFile = fileSystem.inputFile(fileSystem.predicates().is(report.getFile()));

Could you help me?

Thanks in advance

The "aggregate" dependency-check.xml report results are distributed incorrectly on modules in multi-module sonar project. Each module has the same overall number of dependencies and vulnerabilities.

Using the owasp-dependency-check via the Maven plugin and submitting the results into sonar via this plugin gives me some weird issues.

On each run of the Maven build the Sonar plugin mixes up the reported vulnerabilities with already existing ones. One could observe this phenomenon when some of the found vulnerabilities were marked with a different status or augmented with comments. After the Maven build some of the changed status values and comments are then associated with different (existing) issues.

I was debugging this issue by looking at the data stored in my local Sonar postgres database. Sonar is storing the status values in the table 'issues'. After another run of the Maven build message (description) values of existing issues is updated with another issue's message. The prior status value, however, stays the same. I can reproduce this issue easily when running:

$ mvn sonar:sonar

I'm using:

• Apache Maven 3.5.2
• dependency-check-maven 3.1.1
• dependency-check-sonar-plugin 1.1.0 (installed via SonarQube Marketplace)
• SonarQube 7.0

Did anyone else experience something like this before?

Thx

We have set up a suppressions file for the issues that we would like to mark as already dealt with in some way or another. For the HTML report, that causes the issues to be filtered out. However, the XML report includes that information within the data structures as suppression information. Are there any plans to use this information to drive Sonar and/or filter out the vulnerabilities as they are being processed?

Unfortunately, I don't have any experience dealing with Sonar plugins, so I don't have a good way to help out in this regard. I just know that my original hope/expectation had been that the issues we had already marked as suppressed would not show up in our reports.

We have the following setup:

• A multi module gradle project (Java code and some Scala)
• SonarQube with dependency-check-sonar plugin and sonar-bitbucket-plugin (https://github.com/mibexsoftware/sonar-bitbucket-plugin)

The bitbucket plugin in SonarQube is set up so that it comments on our pull requests when they get created. It does a good job of commenting on code changes but when we add new vulnerable library dependencies, the bitbucket plugin does not pick up the added vulnerability and does not comment on the PR regarding that. I can confirm from the command line output that the dependency-check plugin is in fact picking up the new vulnerable library but the bitbucket plugin does not report it.

I've reported the issue on the bitbucket plugin (mibexsoftware/sonar-bitbucket-plugin#79) but I figured I might ask here as well.

If there is some technical reason for the bitbucket plugin not being able to detect an increased number of vulnerable libraries, is there at least some way I can run the sonarqube task in gradle and get information about whether the number of vulnerable libraries has increased since the last scan?

We're trying to get this into our PR reviews but at the very least we'd like to be able to get notified on a daily basis if the number of vulnerable libraries is increasing.

I have generated the OWASP dependency check report under WORKSPACE using the Jenkins plugin. But Sonarqube 5.2 isnt analyzing the generated dependency-check-report.xml. Infact I didnt see a sensor phase for OWASP.

I have declared the following property as well:

<sonar.src>.</sonar.src>
<sonar.dependencyCheck.reportPath>${project.build.directory}/dependency-check-report.xml</sonar.dependencyCheck.reportPath>

The plugin is installed properly, because im able to view the relevant widgets.

The XML plugin is also installed and sonar.import_unknown_files is set as TRUE

I just installed the sonar plugin and I got the plugin to work with my Jenkins installation, but I had to hard-code the path like this:
sonar.dependencyCheck.reportPath=C:/jenkins/workspace/ah-defect-reporting-service-dev/dependency-check-report.xml

I also had to use forward-slashes or it wouldn't work (This is a Windows Jenkins Slave).

The real issue is I want to use the ${WORKSPACE}/dependency-check-report.xml
But, if I use that I get the following output:
INFO: Dependency-Check report does not exist. SKIPPING. Please check property sonar.dependencyCheck.reportPath: C:jenkinsworkspaceah-defect-reporting-service-devdependency-check-report.xml

The slashes are all removed.

If I just use the path with no hard-coded path it can't find it per below example even though the file is in the root of the workspace.

Dependency-Check report does not exist. SKIPPING. Please check property sonar.dependencyCheck.reportPath: dependency-check-report.xml

Hi,
is there a reason why the plugin is not reported to SonarSource and has an official status?

USE CASE: I am investigating using this plugin and suites our needs with 1 exception. For our enterprise we block builds if SQ quality gates have any new BLOCKER or new CRITICAL issues. We would like to introduce this tool but we don't want to immediately be blocking builds because of the CRITICAL issues that get reported. (though we would eventually want to turn this on) It would be nice to have settings for which rating gets mapped to which SQ severity. This would allow us to set our own thresholds.

This should be an easy enhancement and if I get time, I will submit a pull request.

Brandon

Can the results file be excluded from the project metrics.

Hi,

I have a large number of projects currently running in GoCD. For a small subset of them I am generating a dependency-check.xml and this plugin is reading them fine.

However, since installing the plugin the other projects (those not generating dependency-check.xml files) are now failing with:

14:39:26.544 [ERROR] Failed to execute goal org.codehaus.mojo:sonar-maven-plugin:2.6:sonar (default-cli) on project my-project2: Can not process Dependency-Check report. Dependency-Check report does not exist. -> [Help 1]

Is this an issue with the sonar-maven-plugin I am using or is there a way to tell dependency-check to ignore projects that do not have the xml report present?

Hi,

When I try to bind a project in eclipse with SonarLint, with a SonarQube project, eclipse shows me the next error

The profile neutral-neutral-13672 has only one rule Using Components with Known Vulnerabilities

I need fix that issue to work with eclipse, sonarlint and dependency-check

Thanks in advance

Hello there,

It looks like the vulnerability issues coming from the dependency-check xml report lacks of information compare to the HTML output.
Basically everything is reflected on SonarQube issue except we can call "Confirmation links" that corroborate the vulnerability raised by the tool.

Why this discrepancy?
Regards,

Using gradle plugin

plugins {
  id "org.sonarqube" version "2.6.1"
}

with this configuration:

// SonarQube
sonarqube {
  properties {
    property "sonar.host.url", "http://sonar.mydomain:9000/sonar"
    property "sonar.login", "mykey"
    property "sonar.projectName", name + '_' + getSvnBranchName()
    property "sonar.projectKey", "it.acme.myapp." + name + ":" + getSvnBranchName()
    property "sonar.projectVersion", version
    property "sonar.source", "src/main/"
    property "sonar.dependencyCheck.reportPath", "./build/sonar/dependency-check-report.xml"
    property "sonar.dependencyCheck.htmlReportPath", "./build/sonar/dependency-check-report.html"
  }
}

On a java web app project

$ find src/main/ -type f | wc -l
26
$ find src/main/ -name *.java | wc -l
9

No source file is being analyzed by OWASP (other checks runs well)

Sensor OWASP Dependency-Check [dependencycheck]
Process Dependency-Check report
Dependency-Check report does not exist. SKIPPING. Please check property sonar.dependencyCheck.reportPath: ./build/sonar/dependency-check-report.xml
Process Dependency-Check report (done) | time=2ms
Dependency-Check report does not exist. SKIPPING. Please check property sonar.dependencyCheck.reportPath: ./build/sonar/dependency-check-report.html
Sensor OWASP Dependency-Check [dependencycheck] (done) | time=5ms
Sensor Embedded CSS Analyzer Sensor [css]
0 source files to be analyzed

Same issue with gradle plugin id "argelbargel.gradle.plugins.sonarqube-multiproject-plugin" version "1.2"

Gradle version is:

------------------------------------------------------------
Gradle 3.5
------------------------------------------------------------

Build time:   2017-04-10 13:37:25 UTC
Revision:     b762622a185d59ce0cfc9cbc6ab5dd22469e18a6

Groovy:       2.4.10
Ant:          Apache Ant(TM) version 1.9.6 compiled on June 29 2015
JVM:          1.8.0_111 (Oracle Corporation 25.111-b14)
OS:           Linux 4.4.0-96-generic amd64

I'm having issues with displaying vulnerabilities on SonarQube. Here are the steps I followed:

1. Installed dependency-check-sonar-plugin version 1.0.3 on SonarQube.
2. Configured dashboard to include Vulnerabilities widjet.
3. Generated dependency report using: mvn org.owasp:dependency-check-maven:1.3.6:check -Dformat=XML.
4. Report was placed into [project]/target/dependency-check-report.xml
5. Ran sonar task: org.codehaus.mojo:sonar-maven-plugin:2.3:sonar Task completed successfully but I don't see data in the Vulnerabilities widjet. Anyone has idea what could prevent plugin from seeing report?

Thanks in advance! Rada

Hello,

I am using Jenkins for continuous Integration and apparently after having upgraded the plugin OWASP dependency Check to last version 3.1.1, I received the following error while importing the xml report generated by the OWASP plugin with the last version of SonarQube plugin 3.4.0.905 (Sonar server: 6.7.1) (Sonar:Dependency-check plugin 1.1.0)

It looks like it fails with characters ? which are present in the generated xml file.

[ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.4.0.905:sonar (default-cli) on project omc4-webapp-main: Can not process Dependency-Check report.: Illegal char <?> at index 187: G:\JENKINS\temp\dctempebf761e0-ff68-45f9-941e-5a151e8bf524\check47539468445030423tmp\404\META-INF\resources\webjars\momentjs\2.14.1\package.json?moment

The plug-in didn't process a result file that was generated by an aggregation goal.

I am running SonarQube version 6.2. I downloaded the latest jar (1.1.0) for this dependency-check-sonar-plugin. I placed the file in my /extensions/plugins folder (made sure the file had the same owner and permissions as the other files in the directory) then I restarted Sonar. The server never came online. And I don't see any errors in the sonar.log file, only the message that Process[web] failed to start.

Any ideas what I'm doing wrong?

Hi,everybody,could you help me to anlyze the problem?

i have installed the Dependency-Check plugin in both jenkins2.89 and sonarqube7.0.
when i start to build a project, Dependency-Check plugin seems to do not work.
by the way,the project is a test demo,can't be build.Dependency-Check plugin need build file?

i have try a lot of solutions,but it don't work.

log:
INFO: Sensor OWASP Dependency-Check [dependencycheck]
INFO: Process Dependency-Check report
WARN: Dependency-Check report does not exist. SKIPPING. Please check property sonar.dependencyCheck.reportPath: target/dependency-check-report.xml
INFO: Process Dependency-Check report (done) | time=1ms
WARN: Dependency-Check report does not exist. SKIPPING. Please check property sonar.dependencyCheck.reportPath: ${WORKSPACE}/dependency-check-report.html
INFO: Sensor OWASP Dependency-Check [dependencycheck] (done) | time=4ms
INFO: Sensor jsp [findbugs]

jenkins post step config:
sonar.projectKey=my:demo
sonar.projectName=demo
sonar.projectVersion=1.0
sonar.sources=.
sonar.java.binaries=.
sonar.sources=${WORKSPACE}/src
sonar.dependencyCheck.reportPath=target/dependency-check-report.xml

Hi,
First I would like to say thanks you for your work.
I'm a beginer with Maven and Maven plugins, my office ask me to work on your Dependency-Check plugin, and i'm on it since you publish the 1.3.1 version.
I use the 1.3.3version of the Dependency-Check Maven plugin and the last version of the SonarQube plugin with SonarQube 5.2.

But on some projects i've got this error that I don't understand:

[ERROR] Failed to execute goal org.codehaus.mojo:sonar-maven-plugin:2.7.1:sonar (default-cli) on project maven-single-module: Can not process Dependency-Check report. Not supported during sensor phase -> [Help 1]

I want to precise that the plugin Dependency-Check for SonarQube 5.2 allready worked on projects that didn't have any vulnerabilities.

I think that my pom is correctly configured (it's your mavenproject sample with personal edit), and SonarQube got the XML plugin:
http://pastebin.fr/44123

So I have this error after runing the commande sonar:sonar.
The Dependency-check-report.xml exist.

Did you have any ideas to help me?

Thanks in advance.
RaphaelDLG.

EDIT:
For me the plugin only work on project that didn't have any vulnerability.
I did a MavenProject with no vunlerability: plugin find the report that say that there is no vulnerability.
But when I tried to put volontary some vulnerable dependency on this project:I have the same error that i quoted above.

@stevespringett Hi,i'm using this plugin,but it doesn't work with sonar 6.0.
do you have any plan to update it?

Hi Steve,

Would it be possible to produce a release with the fix for issue 5. I can only use official releases and issue 5 is the last issue that prevents us using this plugin.

Regards

Matt

Steve, I've configured things such that:

1. gradle is building the dep check xml file (and 2 html files) in "${project.buildDir}/reports"
2. gradle is telling sonar to include it in it's analysis via the property "sonar.dependencyCheck.reportPath", "${project.buildDir}/reports/dependency-check-report.xml"
3. as a result of that configuration I'm seeing issues like the following reported in sonarqube, which appear to be only showing up since installing this plugin:

Filename: jackson-annotations-2.3.0.jar | Reference: CVE-2016-3720 | CVSS Score: 10.0 | XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors.

However I'm not seeing anything show in the "Known Vulnerabilities in Dependencies" widget I've successfully added to my custom dashboard. Instead I see the text 'no data'. Is there some configuration I've missed?

I'm using:
Sonarqube Version 5.5
Dependency Check Sonar plugin Version 1.0.3
Gradle org.owasp.dependencycheck plugin Version 1.4.0

Hello,

My issue is rather a question about the plugIn:

Aftyer specifying also the path to the dependency-check HTML report, where should that report presented in the SonarQube GUI?
I currently can't find it in SonarQube 6.7 after successfully running the analysis.

Also, I understand from the code that the plugIn is pushing all the HTML report as a metric in Sonar:
the size of my dependency-check Html reports is up to 50 MBytes.
By running the sonar analysis every day, am I going to fill my database with such huge metric?
Can I limit the history of that report metric to keep only the last one ?

Thank you,
JF

Hi,

Do you plan on integrating dependency-check-sonar-plugin in the official SonarQube plugin repository so that it can be installed automatically from the UI?

Running the plugin on a dependency check of a multi module maven plugin gives me the following stack trace during the sonar analysis:

[ERROR] Failed to execute goal org.codehaus.mojo:sonar-maven-plugin:2.5:sonar (default-cli) on project auth-functional-service-parent: Measure value can not be NaN -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.codehaus.mojo:sonar-maven-plugin:2.5:sonar (default-cli) on project auth-functional-service-parent: Measure value can not be NaN
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:216)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:116)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:80)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:120)
    at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:347)
    at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:154)
    at org.apache.maven.cli.MavenCli.execute(MavenCli.java:584)
    at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:213)
    at org.apache.maven.cli.MavenCli.main(MavenCli.java:157)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
Caused by: org.apache.maven.plugin.MojoExecutionException: Measure value can not be NaN
    at org.codehaus.mojo.sonar.bootstrap.ExceptionHandling.handle(ExceptionHandling.java:41)
    at org.codehaus.mojo.sonar.bootstrap.RunnerBootstraper.execute(RunnerBootstraper.java:139)
    at org.codehaus.mojo.sonar.SonarMojo.execute(SonarMojo.java:138)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:132)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:208)
    ... 19 more
Caused by: java.lang.IllegalArgumentException: Measure value can not be NaN
    at org.sonar.api.measures.Measure.setValue(Measure.java:330)
    at org.sonar.api.measures.Measure.setValue(Measure.java:294)
    at org.sonar.api.measures.Measure.(Measure.java:91)
    at org.sonar.batch.deprecated.DeprecatedSensorContext.saveMeasure(DeprecatedSensorContext.java:149)
    at org.sonar.dependencycheck.DependencyCheckSensor.saveMeasures(DependencyCheckSensor.java:180)
    at org.sonar.dependencycheck.DependencyCheckSensor.analyse(DependencyCheckSensor.java:168)
    at org.sonar.batch.phases.SensorsExecutor.executeSensor(SensorsExecutor.java:59)
    at org.sonar.batch.phases.SensorsExecutor.execute(SensorsExecutor.java:51)
    at org.sonar.batch.phases.DatabaseModePhaseExecutor.execute(DatabaseModePhaseExecutor.java:120)
    at org.sonar.batch.scan.ModuleScanContainer.doAfterStart(ModuleScanContainer.java:264)
    at org.sonar.api.platform.ComponentContainer.startComponents(ComponentContainer.java:92)
    at org.sonar.api.platform.ComponentContainer.execute(ComponentContainer.java:77)
    at org.sonar.batch.scan.ProjectScanContainer.scan(ProjectScanContainer.java:235)
    at org.sonar.batch.scan.ProjectScanContainer.scanRecursively(ProjectScanContainer.java:230)
    at org.sonar.batch.scan.ProjectScanContainer.scanRecursively(ProjectScanContainer.java:228)
    at org.sonar.batch.scan.ProjectScanContainer.doAfterStart(ProjectScanContainer.java:220)
    at org.sonar.api.platform.ComponentContainer.startComponents(ComponentContainer.java:92)
    at org.sonar.api.platform.ComponentContainer.execute(ComponentContainer.java:77)
    at org.sonar.batch.scan.ScanTask.scan(ScanTask.java:57)
    at org.sonar.batch.scan.ScanTask.execute(ScanTask.java:45)
    at org.sonar.batch.bootstrap.TaskContainer.doAfterStart(TaskContainer.java:135)
    at org.sonar.api.platform.ComponentContainer.startComponents(ComponentContainer.java:92)
    at org.sonar.api.platform.ComponentContainer.execute(ComponentContainer.java:77)
    at org.sonar.batch.bootstrap.GlobalContainer.executeTask(GlobalContainer.java:158)
    at org.sonar.batch.bootstrapper.Batch.executeTask(Batch.java:95)
    at org.sonar.batch.bootstrapper.Batch.execute(Batch.java:67)
    at org.sonar.runner.batch.IsolatedLauncher.execute(IsolatedLauncher.java:48)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)
    at org.sonar.runner.impl.BatchLauncher$1.delegateExecution(BatchLauncher.java:87)
    at org.sonar.runner.impl.BatchLauncher$1.run(BatchLauncher.java:75)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.sonar.runner.impl.BatchLauncher.doExecute(BatchLauncher.java:69)
    at org.sonar.runner.impl.BatchLauncher.execute(BatchLauncher.java:50)
    at org.sonar.runner.api.EmbeddedRunner.doExecute(EmbeddedRunner.java:102)
    at org.sonar.runner.api.Runner.execute(Runner.java:100)
    at org.codehaus.mojo.sonar.bootstrap.RunnerBootstraper.execute(RunnerBootstraper.java:135)
    ... 22 more
Here's the dependency-check.xml
https://gist.github.com/gtudan/ae8a5ae77d2850605926

Is seems that your plugin is not available on SonarQube Marketplace

Is it planned ?

Resource:
https://docs.sonarqube.org/display/DEV/Deploying+to+the+Marketplace

TODO (from requirements):

• Your plugin is open-source
  • Source is freely accessible
    -> https://github.com/stevespringett/dependency-check-sonar-plugin
  • The license is a known FLOSS one (check the list provided by the Open Source Initiative)
    -> LGPLv3
  • There's a public issue tracking system
    -> https://github.com/stevespringett/dependency-check-sonar-plugin/issues
  • Documentation is available online in English
    -> OK for quick overview : https://github.com/stevespringett/dependency-check-sonar-plugin/blob/master/README.md
    -> But no détails : https://github.com/stevespringett/dependency-check-sonar-plugin/wiki
  • Binaries of each version are accessible somewhere
    -> https://bintray.com/stevespringett/owasp/dependency-check-sonar/
    -> https://github.com/stevespringett/dependency-check-sonar-plugin/releases
• Releases follow open source conventions
  • A Release Candidate and feedback period are announced prior to each release.
    -> Pre-release versions available here: https://github.com/stevespringett/dependency-check-sonar-plugin/releases
  • A "feedback period closed" notice is sent just before the release.
  • For each release the following must be available:
    • release notes that reflect all significant changes in the version
    • plugin jar
      -> https://bintray.com/stevespringett/owasp/dependency-check-sonar/
      -> https://github.com/stevespringett/dependency-check-sonar-plugin/releases
• The key of your plugin should be:
  As describe https://docs.sonarqube.org/display/DEV/Build+Plugin#BuildPlugin-AdvancedBuildProperties : sonar-dependency-check-plugin -> dependencycheck
  • short and unique
  • lowercase (no camelcase)
  • composed only of [a-z0-9]
  • examples: motionchart, php, scmactivity
• The description of your plugin must not be misleading in terms of content (the code needs to do pretty much what the name and description say it does).
  • On initial entry into the Marketplace, SonarSource staff will test the plugin to verify reasonable functionality and quality.
  • SonarSource staff must be provided with the necessary means to do this testing without the need to sign any agreements or fill out any forms.
  • Ideally, the means to do this testing will be made available to the community at large, with the same lack of restrictions.
• Your plugin does not compete with existing SonarSource products (sorry, but we gotta pay the bills somehow)
• It is analysed on SonarCloud and the quality gate is green when doing a release
  -> Check: https://about.sonarcloud.io/news/2016/09/01/sonarqubedotcom-open-to-aynone.html
  -> https://sonarcloud.io/dashboard?id=org.sonarsource.owasp%3Asonar-dependency-check
• It is compatible with the platform requirements (e.g. it runs on the minimum listed JRE)
• your plugin must be aligned with the goal of the SonarQube platform: management of the technical debt and the quality of the code

At the end:

• Start a new thread on the SonarQube Google Group requesting inclusion. This thread should include plugin:

Subject: [NEW PLUGIN] dependencycheck X.X.X
Description: Integrates Dependency-Check reports into SonarQube
Home page url: https://github.com/stevespringett/dependency-check-sonar-plugin

A lot of my projects use common dependencies between them, but at this time there is no way to aggregate dependencies between projects and they all show up as being unique.

Being able to see how many instances of each unique vulnerable component would make triaging much easier. What would it take to make this happen?

First of all thanks for this plugin. I am really looking forward to using this for all our projects.

I am not sure whether this is just me doing something wrong but somehow the vulnerabilities are marked as critical instead of major as configured.

This is dependency-check-sonar-plugin 1.0.3 and SonarQube 5.6. Please let me know if I can provide you with more details or whether I should ask somewhere else.

Thanks 😄

Good morning Steve,

I've started looking at your plugin and I started with your single-module example to get a better picture of what it will look like in SonarQube. In the README, there's an example of a widget, and I've been unable to create that. I followed the instructions on how to install it to SonarQube (I installed v1.0.3, SonarQube v6.2), and ran the dependency check on the sample. I see vulnerabilities show up in SonarQube, but no widget. Can you advise?

Best regards,
Scott