An alternative for Marking as false positive when using third party scanners

guyrabina · October 5, 2021, 8:48am

Hey SonarQube Community!
I’m currently using sonarqube v8.8 and third party scanners like gitleaks and semgrep.
Whenever I send a report from one of the third party scanners to sonarqube, the issue cannot be marked as FP(False Positive).

Adding some more information - we are using the external scanners to get the result and format the report to the generic issue import format

After reading the sonar docs, I’ve noticed that there is no way to mark an external issue as fp
Can anyone maybe suggest an alternative for this need?

ganncamp · October 5, 2021, 6:30pm

Hi,

Welcome to the community!

You’re right; there’s no way to manage external issues within SonarQube. The thinking is that the configuration for those issues is managed externally to SonarQube and so it doesn’t make sense to manage the issues internally.

HTH,
Ann

guyrabina · October 6, 2021, 9:03am

Thanks for the quick response!
Do you know if this feature going to be added despite that fact in the near future?

The thinking is that the configuration for those issues is managed externally

ganncamp · October 6, 2021, 11:35am

There was talk of that at one point, but it died down and AFAIK hasn’t been resurrected.

Ann

duncanp · October 14, 2021, 7:00am

This topic was automatically closed after 6 days. New replies are no longer allowed.