I've got a Jenkins pipeline created with the only purpose to execute static code analysis with SonarQube on a Node.js project.
My environment is like this:
- Sonar v.9.9.0.65466 (on a Windows Server)
- Jenkins v.2.387.3 (on a Windows Server)
- SonarScanner v.4.3.0.2102
- Dependency-Check v.4.0.0
The pipeline is doing this:
pull the code from Gitlab (on a cleaned workspace)
run "npm install --package-lock" (with a PowerShell script)
invoke a dependency check with this arguments
--yarn "D:\node-v18.16.0-win-x64\node_modules\yarn\bin\yarn.cmd" --format XML --format JSON --format HTMLexecute a sonarqube scanner with the following analysis properties
sonar.projectKey=my-project sonar.projectName=My Project sonar.projectVersion=1.0.0 sonar.sources=./ #sonar.language=js sonar.sourceEncoding=UTF-8 sonar.scm.disabled=true sonar.exclusions=/node_modules/,**/*.spec.ts sonar.dependencyCheck.jsonReportPath=dependency-check-report.json sonar.dependencyCheck.htmlReportPath=dependency-check-report.html sonar.dependencyCheck.summarize=false sonar.dependencyCheck.securityHotspot=true
Everything seems to work fine:
- the dependency-check-report.json .html .xml are produced, their contents make sense
- the scan result is pushed on sonar
- the dependency-check-report.html is visible by clicking at More > Dependency check in Sonar
But... the vulnerability are not listed within the project issues.
In the logs (I've enabled debug messages for the scanner) I saw these (relevant?) lines:
...
[INFO] Writing report to: D:\Jenkins\workspace\XXX\SONAR API\.\dependency-check-report.xml
[INFO] Writing report to: D:\Jenkins\workspace\XXX\SONAR API\.\dependency-check-report.json
[INFO] Writing report to: D:\Jenkins\workspace\XXX\SONAR API\.\dependency-check-report.html
...
[SONAR API] $ D:\Jenkins\tools\hudson.plugins.sonar.SonarRunnerInstallation\SonarScanner\bin\sonar-scanner.bat -X -Dsonar.host.url=https://xxxx.xxxxx.xx ******** -Dsonar.sourceEncoding=UTF-8 "-Dsonar.projectName=XXX" "-Dsonar.projectDescription=XXX" -Dsonar.projectVersion=1.0.0 -Dsonar.sources=./ -Dsonar.dependencyCheck.htmlReportPath=dependency-check-report.html -Dsonar.dependencyCheck.securityHotspot=true -Dsonar.exclusions=**/node_modules/**,**/*.spec.ts -Dsonar.projectKey=XXX -Dsonar.dependencyCheck.jsonReportPath=dependency-check-report.json -Dsonar.scm.disabled=true -Dsonar.dependencyCheck.summarize=false "-Dsonar.projectBaseDir=D:\Jenkins\workspace\XXX\SONAR API"
...
18:54:25.906 DEBUG: Sensors : Dependency-Check -> Analysis Warnings import -> Zero Coverage Sensor
18:54:25.907 INFO: Sensor Dependency-Check [dependencycheck]
18:54:25.907 INFO: Process Dependency-Check report
18:54:25.908 INFO: Using JSON-Reportparser
...
18:54:26.628 INFO: Upload Dependency-Check HTML-Report
18:54:27.152 INFO: Process Dependency-Check report (done) | time=1244ms
18:54:27.152 INFO: Sensor Dependency-Check [dependencycheck] (done) | time=1245ms
18:54:28.248 INFO: Analysis report generated in 902ms, dir size=38.8 MB
18:54:29.397 INFO: Analysis report compressed in 1148ms, zip size=5.9 MB
18:54:29.397 INFO: Analysis report generated in D:\Jenkins\workspace\XXX\SONAR API\.scannerwork\scanner-report
18:54:29.397 DEBUG: Upload report
18:54:29.810 DEBUG: POST 200 https://xxxxxxxxxxxxxxx/api/ce/submit?projectKey=xxx&projectName=xxx | time=412ms
18:54:29.813 INFO: Analysis report uploaded in 416ms
18:54:29.817 DEBUG: Report metadata written to D:\Jenkins\workspace\xxx\SONAR API\.scannerwork\report-task.txt
18:54:29.817 INFO: ANALYSIS SUCCESSFUL, you can find the results at: https://xxxxxxxxxxxxxxx
...
18:54:37.955 INFO: EXECUTION SUCCESS
No error or warn logs.
If I open the code section in Sonar, I can see the dependency-check-report.xml and the dependency-check-report.html on the root folder, but not the dependency-check-report.json. Strange (since all of them are present in the Jenkins workspace folder).
Is it possible to get the vulnerabilities directly within the project issues? What do I need to do?
Thanks, AB
I'm expecting to get the list of vulnerabilities populated with the libraries to be updated. Like I'm getting with other Maven projects.