10.5 : Dependency Check Critical CVEs ignored in Security rating

Isabelle_Guimiot · July 3, 2024, 1:05pm

Hi!

We recently upgraded SonarQube from 9.9 to 10.5. We’re using Dependency-check (latest version of the plugin).

Previously, when we had critical CVEs raised by Dependency Check, the Security rating was “E” (= at least 1 critical issue).

After the 10.5 upgrade, the same project with the exact same Dependency Check report will now have a Security rating “C” instead of “E”. And it says “C” is “at least 1 medium issue”. The critical CVEs seem to be totally ignored.

Is this a bug or a wanted behavior ?

Thank you,
Isabelle

Colin · July 3, 2024, 1:19pm

Hey there.

This is probably a good question for the maintainers of the plugin, who did some work to adapt to our new Software Quality/Impact system late last year.

We aren’t users of the plugin, but maybe something changed in the default configuration.

Topic		Replies	Views
[Quality Gates] : Owasp Dependency check SonarQube Server / Community Build	2	470	November 13, 2023
CVSS score is not showing in report SonarQube Server / Community Build	1	610	April 11, 2023
Improved breakdown of Vulernabilities - ref log4j issue SonarQube Server / Community Build sonarqube , security	5	1307	January 20, 2022
Not seeing any CVE vulnerabilities? SonarQube Server / Community Build java , sonarqube , scanner	3	4747	March 18, 2025
Dependencies Vulnerabilities Sonarqube Community 9.9 SonarQube Server / Community Build sonarqube	1	305	February 16, 2024

10.5 : Dependency Check Critical CVEs ignored in Security rating

Related topics