Could anyone please address the following:
Hi,
Welcome to the community!
We try to keep it to one topic per thread. Otherwise it can get messy, fast. I’ll make a pass at these questions, but if you have followups, I reserve the right to ask you to create new threads.
Maybe not. It depends on the languages in question. For Java and C#, most of what’s needed is picked up automatically from the build environment. For the rest, you can set things that are standard across projects, like sonar.host.url in the scanner configuration and pass the rest on the analysis command line. So yes, there’s still some configuration per project, but maybe not as much…? The docs will get you started.
Ehm… it sounds like you’re interested in Security Reports, which are available starting in Enterprise Edition($$)
You’ll find the available formats are downloadable from the UI. The best way to master the API is to perform the desired action via the UI and eavesdrop to see which calls the UI made to accomplish the action.
You may also find this guide helpful.
HTH,
Ann
Hi,
There’s no way to change the formats. If you really want JSON or XML, you’ll need to use the APIs to pull the data and generate your own reports.
HTH,
Ann
You are suggesting to utilize web APIs to retrieve bugs, code smells, and vulnerabilities in order to collect the data and generate our own report. This is because there isn’t an API available to download the report directly in JSON format.
Hi,
if you want reports in other formats than pdf, you may check the report plugin from bitegarden
It’s commcercial with a 14 day trial.
There’s also a free community plugin that can create reports in different formats
but it only supports the Sonarqube LTS version, not the latest version.
Gilbert
Hi,
We don’t tie issues to CVEs.
Ann
Ann, Is there any way to obtain CVE IDs if we use any plugin?
Hi Ram,
We don’t tie rules/issues to CVEs. I can’t speak to what plugins might offer.
Ann
The total vulnerabilities are 26, but we’re able to see 28 vulnerabilities listed under CWE IDs 611 and 827. Could you please explain why there are 28 vulnerabilities showing here, especially when both CWE IDs 611 and 827 have the same vulnerability mapping? Why is the same vulnerability mapped to different CWEs?
Hi,
I can’t. Because there aren’t.
What you’re seeing is that 2 issues map to CWE-827 and - as you’ve observed - the same two map to CWE-611. The only error here is in adding the numbers together and expecting to find 28 distinct issues. Just like a movie can be both funny and sad, an issue can map to multiple CWEs.
HTH,
Ann
Ann, If I need to deploy an enterprise edition of SonarQube via Helm charts to Kubernetes, what should I do for it? Do I need to buy a Docker image from Sonar or how can I do that? If I obtain a Docker image, can I push it to my repo? And how do I enable the license for it? Is the Docker image configured with it or not?
Hi Ram,
That’s an entirely different question. It deserves a different thread.
Ann
