Jenkins, Gradle : How to publish Dependency report to Sonar Dashboard

Question

Currently we're using Jenkins free style job for Gradle project and using following commands to run Sonar and Dependencycheck

./gradlew clean build sonarqube dependencyCheckAnalyze \

and I'm getting following message

Analyzing /opt/jenkins_slave_home/workspace/AA/package-lock.json - however, the node_modules directory does not exist. Please run npm install prior to running dependency-check Generating report for project AA_ArbitraryBuild Found 0 vulnerabilities in project AA

and we can able to see a file inside "ws/build/reports/" but it dint scanned anything.

Following are the "build.gardle" file

buildscript {
    repositories {
        maven { url artifactoryRepoUrl }
        mavenCentral()
    }
    dependencies {
        classpath 'org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:2.7'
        classpath 'org.owasp:dependency-check-gradle:6.0.3'
    }
}

apply plugin: 'org.sonarqube'
apply plugin: 'org.owasp.dependencycheck'

sonarqube {
    properties {
        property 'sonar.projectName', sonarProjectName
        property 'sonar.projectKey', sonarProjectKey
        property 'sonar.host.url', sonarHostUrl
        property 'sonar.login', sonarAuthToken
        property 'sonar.dependencyCheck.reportPath', sonarDependencyCheckReport
        property 'sonar.dependencyCheck.htmlReportPath', sonarDependencyCheckHTMLReport
    }
}

Can you plz help on what are the additional steps that I need to add.

Answer 1

You've got all you need to push result to sonar. Make sure that you provide right path for your owasp vulnerabilities report for sonar plugin. It's sonar.dependencyCheck.reportPath and should point to build/reports directroy, and if you produce html report file you can point it with sonar.dependencyCheck.htmlReportPath.