Azure DevOps (VSTS) - cant find dependency check report in plain sight

SQ VSTS/Azure DevOps plugin 4.6.2

Description:
When scanning an app with multiple modules, I am having issues with the SQ plug-in finding the Dependency Check reports. I can look at the build server and I see the report files in the base directory (C:\agent_work\1185\s – C:\agent_work\1185\s\dependency-check-report.xml and C:\agent_work\1185\s\dependency-check-report.html). However it is saying it cant find them. I don’t see what the $WORKSPACE variable is though even when I have it set to debug and I get much more verbose output.

Output:

##[section]Starting: Run Code Analysis
==============================================================================
Task         : Run Code Analysis
Description  : Run scanner and upload the results to the SonarQube server.
Version      : 4.6.2
Author       : sonarsource
Help         : This task is not needed for Maven and Gradle projects since the scanner should be run as part of the build.

[More Information](http://redirect.sonarsource.com/doc/install-configure-scanner-tfs-ts.html)
==============================================================================

   [... scans of other modules in this app happen here ...]

INFO: -------------  Scan APPLNAME
INFO: Base dir: C:\agent\_work\1185\s
INFO: Working dir: c:\agent\_work\1185\.sonarqube\out\.sonar
INFO: Index files
INFO: Excluded sources: 
INFO:   **/jquery-*.js
INFO:   **/ext.js
INFO:   **/kendo*.js
INFO:   **/bootstrap.js
INFO:   **/*-vsdoc.js
INFO:   **/jquery.js
INFO:   **/jquery.*.js
INFO:   **/modernizr-*.js
INFO:   **/respond.js
INFO: 0 files indexed
INFO: 0 files ignored because of inclusion/exclusion patterns
INFO: Sensor OWASP Dependency-Check [dependencycheck]
INFO: Process Dependency-Check report
WARN: Dependency-Check report does not exist. SKIPPING. Please check property sonar.dependencyCheck.reportPath: ${WORKSPACE}/dependency-check-report.xml
INFO: Process Dependency-Check report (done) | time=0ms
WARN: Dependency-Check report does not exist. SKIPPING. Please check property sonar.dependencyCheck.reportPath: ${WORKSPACE}/dependency-check-report.html
INFO: Sensor OWASP Dependency-Check [dependencycheck] (done) | time=0ms

Hi,

Do you have setup this property somewhere on your side ?

Instead of using WORKSPACE, you can use Agent.BuildDirectory environment variable, which is recognize in your Azure DevOps agent context, and then work with stars to have something like this :

sonar.dependencyCheck.reportPath=${Agent.BuildDirectory}/**/dependency-check-report.html

Mickaël