Issue
I'm having issues with displaying vulnerabilities on SonarQube. Here are the steps I followed:
Installed dependency-check-sonar-plugin version 1.0.3 on SonarQube.
Configured dashboard to include Vulnerabilities widjet.
Generated dependency report using: mvn org.owasp:dependency-check-maven:1.3.6:check -Dformat=XML.
Report was placed into [project]/target/dependency-check-report.xml
Ran sonar task: org.codehaus.mojo:sonar-maven-plugin:2.3:sonar Task completed successfully but I don't see data in the Vulnerabilities widjet. Anyone has idea what could prevent plugin from seeing report?
Thanks in advance! Rada
Solution
To solve the issue I contacted Steve Springett, creator of the plugin. He has great end-to-end examples of how plugin should be configured.
I added <sonar.dependencyCheck.reportPath>${dependency.check.report.dir}/dependency-check-report.xml</sonar.dependencyCheck.reportPath>
to the properties of my pom and used following two plugins:
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>sonar-maven-plugin</artifactId>
<version>2.6</version>
</plugin>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>1.3.1</version>
<configuration>
<format>XML</format>
<outputDirectory>${dependency.check.report.dir}</outputDirectory>
</configuration>
</plugin>
Answered By - rada
Answer Checked By - Candace Johnson (JavaFixing Volunteer)