fcloud
February 21, 2023, 9:43am
1
Hello,
I’m trying to ingest Chekov reports in my Sonarqube Enterprise 9.9, but whatever I try never seems to work.
I run a GitlabCI job that generates the report, using this command :
# in checkov.sh
checkov \
--framework terraform \
--directory iac \
-o cli -o json \
--output-file-path console,"reports/checkov.json"
I then export the report as an artifact of the job in the .gitlab-ci.yml file :
test:checkov:
stage: checkov
image:
name: gcr.io/gbl-ist-ve-gitlabrunner/checkov:latest
entrypoint: [""]
script:
- ./checkov.sh
artifacts:
paths:
- reports/checkov.json
when: always
allow_failure: true
I have another job that then performs Sonar scan :
sonar:
stage: test:technical:post
image: gcr.io/gbl-ist-ve-gitlabrunner/sonar:latest
script:
- ./sonar.sh
And sonar.sh just performs a sonar-scanner, using a sonar-project.properties that contains :
sonar.checkov.reportFiles=reports/checkov.json
In the sonar-scanner logs I see this :
INFO: Sensor Cloudformation Check [cloudformation]
INFO: Process iac reports
WARN: Missing property:sonar.cfn.nag.reportFiles
INFO: sonar.checkov.reportFiles=reports/checkov.json
INFO: Processing checkov :reports/checkov.json
WARN: Processing checkov:reports/checkov.json missing
INFO: Process iac reports (done) | time=6ms
INFO: Sensor Cloudformation Check [cloudformation] (done) | time=6ms
But I’ve checked many times and the checkov.json file does exist ! Is Sonar not able to read it for some reason ? Or am I missing something ?
Thanks for the help.
Hi @fcloud ,
Welcome to the community. SonarQube itself does not support Checkov reports out of the box. It looks like you are using a third party plugin (sonar-cloudformation-plugin ). I would recommend contacting the plugin maintainer, but it looks like the plugin is already EOL.
However, SonarQube does allow you to import generic reports or reports in SARIF format. Checkov can export results in SARIF format. So please refer to this documentation to import problems from checkov.
Best,
fcloud
February 22, 2023, 4:23pm
4
Hi Nils,
Thanks for the feedback. I followed your advice and switched to using the sarifReportPaths parameter.
The Sonar scan logs looked encouraging :
INFO: Sensor Import external issues report from SARIF file.
INFO: File services/app-iac/reports/checkov.sarif: successfully imported 13 vulnerabilities spread in 1 runs. 0 failed run(s).
INFO: Sensor Import external issues report from SARIF file. (done) | time=30ms
But nothing ever appeared in my SonarQube dashboard, either under Vulnerabilites or anywhere else.
At least, while I was working on a feature branch. When I merged to my main branch, all the issues suddenly appeared in Vulnerabilities in the main branch dashboard of my project.
Is there some kind of limitation, or am I missing some extra configuration ? I didn’t see anything related in the link you sent.
ganncamp
February 22, 2023, 5:42pm
7
Hi,
Was this actually a branch analysis, or a PR analysis? When the issues showed up, did they show up in New Code or in Overall Code?
fcloud
February 22, 2023, 9:40pm
8
Hi Ann,
It was actually a PR analysis, yes. And when merged on the main branch it showed up on the Overall code view.
Fabien
ganncamp
February 23, 2023, 1:23pm
9
Hi Fabien,
PR analysis only shows issues in New Code, so what you experienced is expected behavior.
fcloud
February 23, 2023, 1:29pm
10
Hi Ann,
Ok thanks for the feedback.
Fabien