We try to keep it to one topic per thread. Otherwise it can get messy, fast. I’ll make a pass at these questions, but if you have followups, I reserve the right to ask you to create new threads.
Maybe not. It depends on the languages in question. For Java and C#, most of what’s needed is picked up automatically from the build environment. For the rest, you can set things that are standard across projects, like sonar.host.url in the scanner configuration and pass the rest on the analysis command line. So yes, there’s still some configuration per project, but maybe not as much…? The docs will get you started.
Ehm… it sounds like you’re interested in Security Reports, which are available starting in Enterprise Edition($$)
You’ll find the available formats are downloadable from the UI. The best way to master the API is to perform the desired action via the UI and eavesdrop to see which calls the UI made to accomplish the action.
You are suggesting to utilize web APIs to retrieve bugs, code smells, and vulnerabilities in order to collect the data and generate our own report. This is because there isn’t an API available to download the report directly in JSON format.
The total vulnerabilities are 26, but we’re able to see 28 vulnerabilities listed under CWE IDs 611 and 827. Could you please explain why there are 28 vulnerabilities showing here, especially when both CWE IDs 611 and 827 have the same vulnerability mapping? Why is the same vulnerability mapped to different CWEs?
What you’re seeing is that 2 issues map to CWE-827 and - as you’ve observed - the same two map to CWE-611. The only error here is in adding the numbers together and expecting to find 28 distinct issues. Just like a movie can be both funny and sad, an issue can map to multiple CWEs.
Ann, If I need to deploy an enterprise edition of SonarQube via Helm charts to Kubernetes, what should I do for it? Do I need to buy a Docker image from Sonar or how can I do that? If I obtain a Docker image, can I push it to my repo? And how do I enable the license for it? Is the Docker image configured with it or not?