Comments (18)
stevespringett
commented on May 20, 2024
You need to tell Sonar the location and filename of the report. Do this by specifying:
sonar.dependencyCheck.reportPath=dependency-check-report.xml
from dependency-check-sonar-plugin.
apieraf
commented on May 20, 2024
Hi Steve,
I use the plugin for analyze a C# project and I use the property with an absolute path because in a relative path, the sonar plugin has not worked properly
sonar.dependencyCheck.reportPath=%WORKSPACE%/dependency-check-report.xml
Could you help me?
Thanks in advance
from dependency-check-sonar-plugin.
ynleborg
commented on May 20, 2024
I have similiar problem with inputFile beeing null. I have multimodule maven java project built by jenkins. I'm passing:
-Dsonar.dependencyCheck.reportPath=/var/lib/jenkins/workspace/sonar_project_test/target/dependency-check-report.xml
And I can see, that analysis has started:
[INFO] [22:52:12.437] Process Dependency-Check report
[INFO] [22:52:13.134] Process Dependency-Check report (done) | time=697ms
but then I get:
[ERROR] Failed to execute goal org.codehaus.mojo:sonar-maven-plugin:2.5:sonar (default-cli) on project testapp: Can not process Dependency-Check report. Ensure the report and all dependencies being analyzed are located within the project workspace and that sonar.sources is set to reflect these paths (or set sonar.sources=.): Unknow input path type: null -> [Help 1]
Caused by: java.lang.IllegalArgumentException: Unknow input path type: null
at org.sonar.core.component.ScanPerspectives.as(ScanPerspectives.java:83)
at org.sonar.dependencycheck.DependencyCheckSensor.addIssue(DependencyCheckSensor.java:88)
from dependency-check-sonar-plugin.
stevespringett
commented on May 20, 2024
Since dependency-check-report.xml is technically a 'source' file from Sonar's perspective, the directory the report is in must be specified as a source directory for Sonar. Multiple source directories can be specified for Sonar.
@ynleborg I would recommend moving the file elsewhere so that you don't have to scan the target directory created by Maven, especially if /target/ contains a site.
from dependency-check-sonar-plugin.
apieraf
commented on May 20, 2024
Hi Steve,
In my case, I configure sonar.sources=. and sonar.dependencyCheck.reportPath=%WORKSPACE%/dependency-check-report.xml, and I have the previous error, how can I fix the the problem in my case???
from dependency-check-sonar-plugin.
stevespringett
commented on May 20, 2024
@apieraf I have not tested on Jenkins running on Windows. What happens if you replace %WORKSPACE% with ${WORKSPACE} or set the relative or absolute path without the variable?
from dependency-check-sonar-plugin.
apieraf
commented on May 20, 2024
These are my tests and my results
Absolute Path (sonar.dependencyCheck.reportPath=D:/Proyectos/dependency-check-report.xml
)
Error during Sonar runner execution
9:03:29 ERROR: Unable to execute Sonar
9:03:29 ERROR: Caused by: Can not process Dependency-Check report. Ensure the report and all dependencies being analyzed are located within the project workspace and that sonar.sources is set to reflect these paths (or set sonar.sources=.)
9:03:29 ERROR: Caused by: Unknow input path type: null
Relative Path (sonar.dependencyCheck.reportPath=./dependency-check-report.xml)
09:58:56.945 INFO - this.configuration.getReportPath: ./dependency-check-report.xml
9:58:56 09:58:56.945 INFO - this.report = new File(path): .\dependency-check-report.xml
9:58:56 09:58:56.946 INFO - not is absolute
9:58:56 09:58:56.946 INFO - Report: D:\Proyectos\Subproyecto\.\dependency-check-report.xml
9:58:57 INFO: ------------------------------------------------------------------------
9:58:57 INFO: EXECUTION FAILURE
9:58:57 INFO: ------------------------------------------------------------------------
9:58:57 Total time: 43.420s
9:58:57 Final Memory: 16M/424M
9:58:57 INFO: ------------------------------------------------------------------------
9:58:57 ERROR: Error during Sonar runner execution
9:58:57 ERROR: Unable to execute Sonar
9:58:57 ERROR: Caused by: Dependency-Check report does not exist. Please check property sonar.dependencyCheck.reportPath: ./dependency-check-report.xml
Relative Path (sonar.dependencyCheck.reportPath=../dependency-check-report.xml)
10:09:42 10:09:42.105 INFO - GetAbsolutePath: D:\Proyectos\Subproyecto\..\dependency-check-report.xml
10:09:42 10:09:42.105 INFO - GetName: dependency-check-report.xml
10:09:42 10:09:42.105 INFO - Predicates: org.sonar.api.batch.fs.internal.AbsolutePathPredicate@219958dc
10:09:42 10:09:42.107 INFO - Begin addIssueCVE-2014-3677
10:09:42 10:09:42.108 INFO - Begin resourcePerspectivesnullEnd resourcePerspectives
10:09:42 10:09:42.108 INFO - Begin addIssues in analyse (done) | time=29ms
10:09:42 INFO: ------------------------------------------------------------------------
10:09:42 INFO: EXECUTION FAILURE
10:09:42 INFO: ------------------------------------------------------------------------
10:09:42 Total time: 1:28.227s
10:09:42 Final Memory: 21M/442M
10:09:42 INFO: ------------------------------------------------------------------------
10:09:42 ERROR: Error during Sonar runner execution
10:09:42 ERROR: Unable to execute Sonar
10:09:42 ERROR: Caused by: Can not process Dependency-Check report. Ensure the report and all dependencies being analyzed are located within the project workspace and that sonar.sources is set to reflect these paths (or set sonar.sources=.)
10:09:42 ERROR: Caused by: Unknow input path type: null
Absolute Path (sonar.dependencyCheck.reportPath=${WORKSPACE}/dependency-check-report.xml
)
this.configuration.getReportPath: ${WORKSPACE}/dependency-check-report.xml
10:52:04 10:52:04.253 INFO - this.report = new File(path): ${WORKSPACE}\dependency-check-report.xml
10:52:04 10:52:04.253 INFO - not is absolute
10:52:04 10:52:04.254 INFO - Report: D:\Proyectos\${WORKSPACE}\dependency-check-report.xml
10:52:04 INFO: ------------------------------------------------------------------------
10:52:04 INFO: EXECUTION FAILURE
10:52:04 INFO: ------------------------------------------------------------------------
10:52:04 Total time: 16.922s
10:52:04 Final Memory: 23M/447M
10:52:04 INFO: ------------------------------------------------------------------------
10:52:04 ERROR: Error during Sonar runner execution
10:52:04 ERROR: Unable to execute Sonar
10:52:04 ERROR: Caused by: Dependency-Check report does not exist. Please check property sonar.dependencyCheck.reportPath: ${WORKSPACE}/dependency-check-report.xml
Relative path(sonar.dependencyCheck.reportPath=dependency-check-report.xml)
11:00:50.759 INFO - this.configuration.getReportPath: dependency-check-report.xml
11:00:50 11:00:50.759 INFO - this.report = new File(path): dependency-check-report.xml
11:00:50 11:00:50.759 INFO - not is absolute
11:00:50 11:00:50.759 INFO - Report: D:\Proyectos\Subproyecto\dependency-check-report.xml
11:00:51 INFO: ------------------------------------------------------------------------
11:00:51 INFO: EXECUTION FAILURE
11:00:51 INFO: ------------------------------------------------------------------------
11:00:51 Total time: 16.529s
11:00:51 Final Memory: 18M/432M
11:00:51 INFO: ------------------------------------------------------------------------
11:00:51 ERROR: Error during Sonar runner execution
11:00:51 ERROR: Unable to execute Sonar
11:00:51 ERROR: Caused by: Dependency-Check report does not exist. Please check property sonar.dependencyCheck.reportPath: dependency-check-report.xml
from dependency-check-sonar-plugin.
stevespringett
commented on May 20, 2024
@apieraf By default, SonarQube does not analyze XML files. Therefore you can do one of two things.
- Install the SonarQube XML plugin from the Update Center.
or - Set sonar.import_unknown_files = true. This option is under the menu Settings -> Exclusions -> Files.
Once you do either of these, SonarQube is now capable of analyzing XML files and therefore will honor the analysis of the Dependency-Check XML report.
from dependency-check-sonar-plugin.
apieraf
commented on May 20, 2024
Hi @stevespringett,
I installed XML Plugin and configured SonarQube with the property and I have the same results.
from dependency-check-sonar-plugin.
amandel
commented on May 20, 2024
I'm trying and error the listed suggestions. This is really painful. After setting <sonar.sources>src/main,pom.xml,target/dependency-check-report.xml</sonar.sources> - the build fails because not all modules contain the src/maindirectory. Might be a sonar.additionalSources property could help? <sonar.additionalSources>target/dependency-check-report.xml</sonar.additionalSources>
Currently I've no clue how to set this up properly in my maven build.
from dependency-check-sonar-plugin.
stevespringett
commented on May 20, 2024
@amandel Sonar conventions for modules are: MODULE.property. So if the module name is titled 'commons', then the corresponding Sonar property would be commons.sonar.sources
from dependency-check-sonar-plugin.
stevespringett
commented on May 20, 2024
I'll put together some working example projects this week and post them into the github repo.
- Single module Java/Maven project
- Multi module Java/Maven project
- Single module command line project (useful for any language)
- Jenkins plugin configuration screenshots
from dependency-check-sonar-plugin.
amandel
commented on May 20, 2024
@stevespringett Thanks for your feedback and putting this plugin together. I'm not sure how your hint can help me. Do you suggest do give a dedicated source path (sonar.source) per module?
from dependency-check-sonar-plugin.
apieraf
commented on May 20, 2024
Hi @stevespringett ,
Could you test the plugin with C# projects?
Thanks in advance
from dependency-check-sonar-plugin.
rigoford
commented on May 20, 2024
@stevespringett, thanks for the examples you've just posted. I'm attempting to use your plugin in a Scala based module - which I wouldn't expect to make a difference. Unfortunately I'm getting a 'input path type: null' failure.
I've pushed an example scala module to my fork; https://github.com/rigoford/dependency-check-sonar-plugin/tree/input_path_type_failure/examples/single-scala-module-maven. I be grateful for any advice.
Many thanks
from dependency-check-sonar-plugin.
stevespringett
commented on May 20, 2024
@rigoford SonarQube doesn't support Scala out of the box. Providing a supported language for the value sonar.language such as php, cs, or grvy works fine.
from dependency-check-sonar-plugin.
rigoford
commented on May 20, 2024
Thanks for that @stevespringett, I knew Scala wasn't supported by SonarQube (it isn't even on their roadmap :-(), but I wasn't expecting that to matter since your plugin reads the dependency check XML file. Just removing the sonar.language means it works fine.
Many thanks for the prompt response and for developing a very useful plugin.
from dependency-check-sonar-plugin.
stevespringett
commented on May 20, 2024
Closing. If there's additional issues, please open new tickets.
from dependency-check-sonar-plugin.
Related Issues (20)
- Quality gate uses original severity of the issue, not the user assigned one HOT 7
- Can't see CVEs (vulnerabilities) on Sonar UI under Project>Issues. Used to see them in the past. Has anything changed? HOT 7
- False positive: NPM package ionicabizau/parse-url confused with parseurl HOT 2
- Examples and tests still use removed `sonar.dependencyCheck.reportPath` property HOT 5
- Cannot collspae Published Vulnerabilities in SonarQube HOT 6
- The dependency check scan is not uploading the reports when scanning a project HOT 3
- URI encoded package names do not match names in lock-file HOT 8
- Apache Log4j vulnerability HOT 3
- Support for Sonar 10.2 Software Quality Severities HOT 7
- [Quality Gates] : Owasp Dependency check HOT 1
- assets section of each release doesnt include .sha256 file HOT 1
- Integrate OWASP plugin with SonarQube from Azure Pipeline
- 9.0.2 of dependency-check plugin throws JSON parsing error with field "CvssV2.confidentialityImpact" HOT 4
- Update dependency-check-maven 9.0.X breaks Sonarqube Vulnerabilities report / JSON-Analysis aborted HOT 9
- NVD Api key config missing HOT 1
- SonarQube (Enterprise EditionVersion 10.3 --build 82913) Content Security Policy blocking the plugin resource HOT 7
- Html report break sonar UI
- Issue with Documentation for 10.2+ HOT 1
- Add "DownloadOnlyWhenRequired" to packaging HOT 2
- Update 5.0.0 Release Notes to Clarify SonarQube Version Compatibility HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependency-check-sonar-plugin.