Comments (3)
What aspect do you want enabled/disabled. Currently, if a dependency-check report was not specified during an analysis, the portlet will not show up on the dashboard.
from dependency-check-sonar-plugin.
Sorry, to be clearer with the problem.
We use Maven as our build system. We have a top level POM that all projects use as their parent project. This project defines the following tags (relevant fragments below):
<sonar.dependencyCheck.reportPath>target/dependency-check/dependency-check-report.xml</sonar.dependencyCheck.reportPath>
<dependency.check.report.dir>target/dependency-check</dependency.check.report.dir>
OWASP
false
org.owasp
dependency-check-maven
8
true
ALL
${dependency.check.report.dir}
aggregate
Some projects are currently built without the -P OWASP profile active and therefore aren't generating the dependency file. However when they try to publish into Sonar with your plugin active they get the following error:
[ERROR] Failed to execute goal org.codehaus.mojo:sonar-maven-plugin:2.5:sonar (default-cli) on project ao: Dependency-Check report does not exist. Please check property sonar.dependencyCheck.reportPath: target/dependency-check/dependency-check-report.xml -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.codehaus.mojo:sonar-maven-plugin:2.5:sonar (default-cli) on project ao: Dependency-Check report does not exist. Please check property sonar.dependencyCheck.reportPath: target/dependency-check/dependency-check-report.xml
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:216)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:116)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:80)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:307)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:193)
at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:106)
at org.apache.maven.cli.MavenCli.execute(MavenCli.java:862)
at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:286)
at org.apache.maven.cli.MavenCli.main(MavenCli.java:197)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
Caused by: org.apache.maven.plugin.MojoExecutionException: Dependency-Check report does not exist. Please check property sonar.dependencyCheck.reportPath: target/dependency-check/dependency-check-report.xml
at org.codehaus.mojo.sonar.bootstrap.ExceptionHandling.handle(ExceptionHandling.java:41)
at org.codehaus.mojo.sonar.bootstrap.RunnerBootstraper.execute(RunnerBootstraper.java:139)
at org.codehaus.mojo.sonar.SonarMojo.execute(SonarMojo.java:138)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:134)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:208)
... 20 more
Caused by: Dependency-Check report does not exist. Please check property sonar.dependencyCheck.reportPath: target/dependency-check/dependency-check-report.xml
and the build fails.
I would like either to be able to turn off your sonar plugin per project in Sonar so that it doesn't generate this error or generate a warning but allow the build to continue if that file doesn't exist?
from dependency-check-sonar-plugin.
Hi Steve,
Would it be possible to release 1.0.2 with this fixed?
Thanks
Matt
from dependency-check-sonar-plugin.
Related Issues (20)
- Quality gate uses original severity of the issue, not the user assigned one HOT 7
- Can't see CVEs (vulnerabilities) on Sonar UI under Project>Issues. Used to see them in the past. Has anything changed? HOT 7
- False positive: NPM package ionicabizau/parse-url confused with parseurl HOT 2
- Examples and tests still use removed `sonar.dependencyCheck.reportPath` property HOT 5
- Cannot collspae Published Vulnerabilities in SonarQube HOT 6
- The dependency check scan is not uploading the reports when scanning a project HOT 3
- URI encoded package names do not match names in lock-file HOT 8
- Apache Log4j vulnerability HOT 3
- Support for Sonar 10.2 Software Quality Severities HOT 7
- [Quality Gates] : Owasp Dependency check HOT 1
- assets section of each release doesnt include .sha256 file HOT 1
- Integrate OWASP plugin with SonarQube from Azure Pipeline
- 9.0.2 of dependency-check plugin throws JSON parsing error with field "CvssV2.confidentialityImpact" HOT 4
- Update dependency-check-maven 9.0.X breaks Sonarqube Vulnerabilities report / JSON-Analysis aborted HOT 9
- NVD Api key config missing HOT 1
- SonarQube (Enterprise EditionVersion 10.3 --build 82913) Content Security Policy blocking the plugin resource HOT 7
- Html report break sonar UI
- Issue with Documentation for 10.2+ HOT 1
- Add "DownloadOnlyWhenRequired" to packaging HOT 2
- Update 5.0.0 Release Notes to Clarify SonarQube Version Compatibility HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependency-check-sonar-plugin.