Comments (10)
gengivan
commented on May 20, 2024
Hi Team, any update?
Thanks
Ivan Geng
from dependency-check-sonar-plugin.
stevespringett
commented on May 20, 2024
What version of SonarQube? Issues are generated against the project, not a particular source file. Are there any changes to the project in SQ prior to this issue occurring?
from dependency-check-sonar-plugin.
gengivan
commented on May 20, 2024
The sonar version is Version 5.6.1.
Issues were not reported on the source files. The issues were reported on JARs. As some of the JARs are already latest or the latest version has known issues, so we marked them as 'Won't Fix'.
A few days later some files were reported again(no change on the jar dependency), but not all of the issues happens again.
Any suggestion? Thanks.
from dependency-check-sonar-plugin.
gengivan
commented on May 20, 2024
Hi @stevespringett , any suggestion? Thanks.
from dependency-check-sonar-plugin.
stevespringett
commented on May 20, 2024
Have you compared the paths of the jars from each of the runs? Are the paths exactly the same? If not, then they would be considered separate issues. I've looked through the plugin code and don't see anything that would cause this issue randomly. You may want to diff the DC XML files.
from dependency-check-sonar-plugin.
stevespringett
commented on May 20, 2024
Also, can you provide me the exact version of a few jars that you've seen this with?
from dependency-check-sonar-plugin.
gengivan
commented on May 20, 2024
@stevespringett , you are right. Actually, the alerts were reported on different type files: in war and individual jar. But the incorrect alert behavior is not consistent, not figure out when it was reported again.
I think the reason should be alerts status had been moved to FIXED, so sonar treat them as new issues.
Please find one sample jar: jackson-mapper-asl-1.9.13.jar.
By the way, any more detail about this?
You may want to diff the DC XML files.
from dependency-check-sonar-plugin.
pioto
commented on May 20, 2024
This still appears to be an issue with version 1.1.2 of this plugin, and version 6.7.6 of SonarQube.
It seems that the "key" of the issue changes with each run, causing the issues to be marked as "isNew" in the JSON report, which in turn ends up falsely marking some builds as introducing "new" issues that have been around for months.
from dependency-check-sonar-plugin.
Reamer
commented on May 20, 2024
Hi,
please checkout new version of this plugin.
1.1.4 for Sonarqube 6.7.5 and above
1.2.3 for Sonarqube 7.6 and above
from dependency-check-sonar-plugin.
Reamer
commented on May 20, 2024
Should be fixed with actual version of this plugin. This plugin looks for a pom.xml or gradle.build in your project to link issue against this files.
from dependency-check-sonar-plugin.
Related Issues (20)
- Quality gate uses original severity of the issue, not the user assigned one HOT 7
- Can't see CVEs (vulnerabilities) on Sonar UI under Project>Issues. Used to see them in the past. Has anything changed? HOT 7
- False positive: NPM package ionicabizau/parse-url confused with parseurl HOT 2
- Examples and tests still use removed `sonar.dependencyCheck.reportPath` property HOT 5
- Cannot collspae Published Vulnerabilities in SonarQube HOT 6
- The dependency check scan is not uploading the reports when scanning a project HOT 3
- URI encoded package names do not match names in lock-file HOT 8
- Apache Log4j vulnerability HOT 3
- Support for Sonar 10.2 Software Quality Severities HOT 7
- [Quality Gates] : Owasp Dependency check HOT 1
- assets section of each release doesnt include .sha256 file HOT 1
- Integrate OWASP plugin with SonarQube from Azure Pipeline
- 9.0.2 of dependency-check plugin throws JSON parsing error with field "CvssV2.confidentialityImpact" HOT 4
- Update dependency-check-maven 9.0.X breaks Sonarqube Vulnerabilities report / JSON-Analysis aborted HOT 9
- NVD Api key config missing HOT 1
- SonarQube (Enterprise EditionVersion 10.3 --build 82913) Content Security Policy blocking the plugin resource HOT 7
- Html report break sonar UI
- Issue with Documentation for 10.2+ HOT 1
- Add "DownloadOnlyWhenRequired" to packaging HOT 2
- Update 5.0.0 Release Notes to Clarify SonarQube Version Compatibility HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependency-check-sonar-plugin.